diff --git a/doc/training-guides/module001-ch007-keystone-arch.xml b/doc/training-guides/module001-ch007-keystone-arch.xml index ca0837842b..9a3468e104 100644 --- a/doc/training-guides/module001-ch007-keystone-arch.xml +++ b/doc/training-guides/module001-ch007-keystone-arch.xml @@ -1,14 +1,13 @@ Keystone Architecture - More Content To be Added ... - - Identity Service Concepts - The Identity service performs the following + + The Identity service performs these functions: @@ -20,163 +19,212 @@ services with their API endpoints. - To understand the Identity Service, you must understand the - following concepts: - - User - Digital representation of a person, system, or service who - uses OpenStack cloud services. Identity authentication - services will validate that incoming request are being made by - the user who claims to be making the call. Users have a login - and may be assigned tokens to access resources. Users may be - directly assigned to a particular tenant and behave as if they - are contained in that tenant. - - Credentials - Data that is known only by a user that proves who they - are. In the Identity Service, examples are: - + To understand the Identity Service, you must understand these concepts: + + + User - Username and password + Digital representation of a person, system, or service + who uses OpenStack cloud services. Identity authentication + services will validate that incoming request are being + made by the user who claims to be making the call. Users + have a login and may be assigned tokens to access + resources. Users may be directly assigned to a particular + tenant and behave as if they are contained in that + tenant. + + + Credentials - Username and API key + Data that is known only by a user that proves who they + are. In the Identity Service, examples are: + + + Username and password + + + Username and API key + + + An authentication token provided by the Identity + Service + + + + + Authentication - An authentication token provided by the Identity - Service + The act of confirming the identity of a user. The + Identity Service confirms an incoming request by + validating a set of credentials supplied by the user. + These credentials are initially a username and password or + a username and API key. In response to these credentials, + the Identity Service issues the user an authentication + token, which the user provides in subsequent + requests. - - - Authentication - The act of confirming the identity of a user. The Identity - Service confirms an incoming request by validating a set of - credentials supplied by the user. These credentials are - initially a username and password or a username and API key. - In response to these credentials, the Identity Service issues - the user an authentication token, which the user provides in - subsequent requests. - - Token - An arbitrary bit of text that is used to access resources. - Each token has a scope which describes which resources are - accessible with it. A token may be revoked at anytime and is - valid for a finite duration. - While the Identity Service supports token-based - authentication in this release, the intention is for it to - support additional protocols in the future. The intent is for - it to be an integration service foremost, and not aspire to be - a full-fledged identity store and management solution. - - Tenant - A container used to group or isolate resources and/or - identity objects. Depending on the service operator, a tenant - may map to a customer, account, organization, or - project. - - Service - An OpenStack service, such as Compute (Nova), Object - Storage (Swift), or Image Service (Glance). Provides one or - more endpoints through which users can access resources and - perform operations. - - Endpoint - An network-accessible address, usually described by URL, - from where you access a service. If using an extension for - templates, you can create an endpoint template, which - represents the templates of all the consumable services that - are available across the regions. - - Role - A personality that a user assumes that enables them to - perform a specific set of operations. A role includes a set of - rights and privileges. A user assuming that role inherits - those rights and privileges. - In the Identity Service, a token that is issued to a user - includes the list of roles that user can assume. Services that - are being called by that user determine how they interpret the - set of roles a user has and which operations or resources each - role grants access to. -
- Keystone Authentication - - - - - -
- - User management - The main components of Identity user management are: - - - Users - - - Tenants - - - Roles - - - A userrepresents a human user, and has associated - information such as username, password and email. This example - creates a user named "alice": - $ keystone user-create --name=alice --pass=mypassword123 - --email=alice@example.com - A tenantcan be a project, group, or organization. Whenever - you make requests to OpenStack services, you must specify a - tenant. For example, if you query the Compute service for a list - of running instances, you will receive a list of all of the - running instances in the tenant you specified in your query. - This example creates a tenant named "acme": - $ keystone tenant-create --name=acmeA rolecaptures what - operations a user is permitted to perform in a given tenant. - This example creates a role named "compute-user": - $ keystone role-create --name=compute-userThe Identity - service associates a user with a tenant and a role. To continue - with our previous examples, we may wish to assign the "alice" - user the "compute-user" role in the "acme" tenant: - $ keystone user-list - $ keystone user-role-add --user=892585 --role=9a764e - --tenant-id=6b8fd2 - A user can be assigned different roles in different tenants: - for example, Alice may also have the "admin" role in the - "Cyberdyne" tenant. A user can also be assigned multiple roles - in the same tenant. - The /etc/[SERVICE_CODENAME]/policy.json controls what users - are allowed to do for a given service. For example, - /etc/nova/policy.json specifies the access policy for the - Compute service, /etc/glance/policy.json specifies the access - policy for the Image service, and /etc/keystone/policy.json - specifies the access policy for the Identity service. - The default policy.json files in the Compute, Identity, and - Image service recognize only the admin role: all operations that - do not require the admin role will be accessible by any user - that has any role in a tenant. - If you wish to restrict users from performing operations in, - say, the Compute service, you need to create a role in the - Identity service and then modify /etc/nova/policy.json so that - this role is required for Compute operations. - For example, this line in /etc/nova/policy.json specifies - that there are no restrictions on which users can create - volumes: if the user has any role in a tenant, they will be able - to create volumes in that tenant. - Service Management - The Identity Service provides the following service - management functions: - - - Services - - - Endpoints - - - The Identity Service also maintains a user that corresponds - to each service (such as, a user named nova, for the Compute - service) and a special service tenant, which is called - service. - The commands for creating services and endpoints are - described in a later section. + + + + Token + + An arbitrary bit of text that is used to access + resources. Each token has a scope which describes which + resources are accessible with it. A token may be revoked + at anytime and is valid for a finite duration. + While the Identity Service supports token-based + authentication in this release, the intention is for it to + support additional protocols in the future. The intent is + for it to be an integration service foremost, and not + aspire to be a full-fledged identity store and management + solution. + + + + Tenant + + A container used to group or isolate resources and/or + identity objects. Depending on the service operator, a + tenant may map to a customer, account, organization, or + project. + + + + + Service + + An OpenStack service, such as Compute (Nova), Object + Storage (Swift), or Image Service (Glance). Provides one + or more endpoints through which users can access resources + and perform operations. + + + + Endpoint + + An network-accessible address, usually described by + URL, from where you access a service. If using an + extension for templates, you can create an endpoint + template, which represents the templates of all the + consumable services that are available across the + regions. + + + + Role + + A personality that a user assumes that enables them to + perform a specific set of operations. A role includes a + set of rights and privileges. A user assuming that role + inherits those rights and privileges. + In the Identity Service, a token that is issued to a + user includes the list of roles that user can assume. + Services that are being called by that user determine how + they interpret the set of roles a user has and which + operations or resources each role grants access to. +
+ Keystone Authentication + + + + + +
+ + + + + User management + + The main components of Identity user management + are: + + + Users + + + Tenants + + + Roles + + + A user represents a human user, and has associated + information such as username, password and email. This + example creates a user named "alice": + $ keystone user-create --name=alice --pass=mypassword123 --email=alice@example.com + A tenant can be a project, group, or organization. + Whenever you make requests to OpenStack services, you must + specify a tenant. For example, if you query the Compute + service for a list of running instances, you get a list of + all running instances for the specified tenant. This + example creates a tenant named "acme": + $ keystone tenant-create --name=acme + A role captures what operations a user is permitted to + perform in a given tenant. This example creates a role + named "compute-user": + $ keystone role-create --name=compute-user + The Identity service associates a user with a tenant + and a role. To continue with our previous examples, we may + wish to assign the "alice" user the "compute-user" role in + the "acme" tenant: + $ keystone user-list + $ keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2 + A user can be assigned different roles in different + tenants. For example, Alice may also have the "admin" role + in the "Cyberdyne" tenant. A user can also be assigned + multiple roles in the same tenant. + The + /etc/[SERVICE_CODENAME]/policy.json + file controls what users are allowed to do for a given + service. For example, + /etc/nova/policy.json specifies the + access policy for the Compute service, + /etc/glance/policy.json specifies + the access policy for the Image service, and + /etc/keystone/policy.json specifies + the access policy for the Identity service. + The default policy.json files in the Compute, + Identity, and Image service recognize only the admin role: + all operations that do not require the admin role will be + accessible by any user that has any role in a + tenant. + If you wish to restrict users from performing + operations in, say, the Compute service, you need to + create a role in the Identity service and then modify + /etc/nova/policy.json so that this + role is required for Compute operations. + For example, this line in + /etc/nova/policy.json specifies + that there are no restrictions on which users can create + volumes: if the user has any role in a tenant, they will + be able to create volumes in that tenant. + + + + Service + Management + + The Identity Service provides the following service + management functions: + + + Services + + + Endpoints + + + The Identity Service also maintains a user that + corresponds to each service, such as a user named nova, + for the Compute service) and a special service tenant, + which is called service. + The commands for creating services and endpoints are + described in a later section. + + + +