Merge "cleanup of module001-ch007-keystone-arch"
This commit is contained in:
commit
1cef7b7f18
@ -11,11 +11,11 @@
|
|||||||
functions:</para>
|
functions:</para>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>User management. Tracks users and their
|
<para>User management: Tracks users and their
|
||||||
permissions.</para>
|
permissions.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Service catalog. Provides a catalog of available
|
<para>Service catalog: Provides a catalog of available
|
||||||
services with their API endpoints.</para>
|
services with their API endpoints.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
@ -26,7 +26,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Digital representation of a person, system, or service
|
<para>Digital representation of a person, system, or service
|
||||||
who uses OpenStack cloud services. Identity authentication
|
who uses OpenStack cloud services. Identity authentication
|
||||||
services will validate that incoming request are being
|
services will validate that incoming requests are being
|
||||||
made by the user who claims to be making the call. Users
|
made by the user who claims to be making the call. Users
|
||||||
have a login and may be assigned tokens to access
|
have a login and may be assigned tokens to access
|
||||||
resources. Users may be directly assigned to a particular
|
resources. Users may be directly assigned to a particular
|
||||||
@ -115,12 +115,12 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">Role</emphasis></term>
|
<term><emphasis role="bold">Role</emphasis></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A personality that a user assumes that enables them to
|
<para>A personality that a user assumes which enables them to
|
||||||
perform a specific set of operations. A role includes a
|
perform a specific set of operations. A role includes a
|
||||||
set of rights and privileges. A user assuming that role
|
set of rights and privileges. A user assuming that role
|
||||||
inherits those rights and privileges.</para>
|
inherits those rights and privileges.</para>
|
||||||
<para>In the Identity Service, a token that is issued to a
|
<para>In the Identity Service, a token that is issued to a
|
||||||
user includes the list of roles that user can assume.
|
user includes the list of roles that a user can assume.
|
||||||
Services that are being called by that user determine how
|
Services that are being called by that user determine how
|
||||||
they interpret the set of roles a user has and which
|
they interpret the set of roles a user has and which
|
||||||
operations or resources each role grants access to.</para>
|
operations or resources each role grants access to.</para>
|
||||||
@ -168,7 +168,7 @@
|
|||||||
<screen><prompt>$</prompt> <userinput>keystone role-create --name=compute-user</userinput></screen>
|
<screen><prompt>$</prompt> <userinput>keystone role-create --name=compute-user</userinput></screen>
|
||||||
<para>The Identity service associates a user with a tenant
|
<para>The Identity service associates a user with a tenant
|
||||||
and a role. To continue with our previous examples, we may
|
and a role. To continue with our previous examples, we may
|
||||||
wish to assign the "alice" user the "compute-user" role in
|
assign the "alice" user the "compute-user" role in
|
||||||
the "acme" tenant:</para>
|
the "acme" tenant:</para>
|
||||||
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
|
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
|
||||||
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2</userinput></screen>
|
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2</userinput></screen>
|
||||||
@ -192,7 +192,7 @@
|
|||||||
accessible by any user that has any role in a
|
accessible by any user that has any role in a
|
||||||
tenant.</para>
|
tenant.</para>
|
||||||
<para>If you wish to restrict users from performing
|
<para>If you wish to restrict users from performing
|
||||||
operations in, say, the Compute service, you need to
|
operations in the Compute service, you need to
|
||||||
create a role in the Identity service and then modify
|
create a role in the Identity service and then modify
|
||||||
<filename>/etc/nova/policy.json</filename> so that this
|
<filename>/etc/nova/policy.json</filename> so that this
|
||||||
role is required for Compute operations.</para>
|
role is required for Compute operations.</para>
|
||||||
@ -219,7 +219,7 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
<para>The Identity Service also maintains a user that
|
<para>The Identity Service also maintains a user that
|
||||||
corresponds to each service, such as a user named nova,
|
corresponds to each service, such as a user named nova,
|
||||||
for the Compute service) and a special service tenant,
|
(for the Compute service) and a special service tenant,
|
||||||
which is called service.</para>
|
which is called service.</para>
|
||||||
<para>The commands for creating services and endpoints are
|
<para>The commands for creating services and endpoints are
|
||||||
described in a later section.</para>
|
described in a later section.</para>
|
||||||
|
Loading…
Reference in New Issue
Block a user