openstack/openstack-manuals
Code Issues Proposed changes

cleaned up module001-ch007-keystone-arch keystone-arch

Browse Source 
added space between user and represents
added space between tenant and can

Change-Id: I8fc350d66fed9f0ecdcdf0daa456e1e91396d545
This commit is contained in:
Shilla Saebi 2014-01-21 22:46:51 -05:00 committed by Diane Fleming
parent b362824b7c
commit 23af173c1b
1 changed files with 207 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

274
doc/training-guides/module001-ch007-keystone-arch.xml
View File

@ -1,14 +1,13 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<chapter xmlns="http://docbook.org/ns/docbook" <chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
version="5.0"
xml:id="module001-ch007-keystone-arch"> xml:id="module001-ch007-keystone-arch">
<title>Keystone Architecture</title> <title>Keystone Architecture</title>
<para>More Content To be Added ...</para> <!--<para>More Content To be Added ...</para>
<section xml:id="module001-ch007-keystone-arch-concepts">
<para><guilabel>Identity Service Concepts</guilabel></para> <title>Identity Service Concepts</title> -->
<para>The Identity service performs the following <para>The Identity service performs these
functions:</para> functions:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -20,19 +19,24 @@
services with their API endpoints.</para> services with their API endpoints.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>To understand the Identity Service, you must understand the <para>To understand the Identity Service, you must understand these concepts:</para>
following concepts:</para> <variablelist wordsize="10">
<varlistentry>
<para><guilabel>User</guilabel></para> <term><emphasis role="bold">User</emphasis></term>
<para>Digital representation of a person, system, or service who <listitem>
uses OpenStack cloud services. Identity authentication <para>Digital representation of a person, system, or service
services will validate that incoming request are being made by who uses OpenStack cloud services. Identity authentication
the user who claims to be making the call. Users have a login services will validate that incoming request are being
and may be assigned tokens to access resources. Users may be made by the user who claims to be making the call. Users
directly assigned to a particular tenant and behave as if they have a login and may be assigned tokens to access
are contained in that tenant.</para> resources. Users may be directly assigned to a particular
tenant and behave as if they are contained in that
<para><guilabel>Credentials</guilabel></para> tenant.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Credentials</emphasis></term>
<listitem>
<para>Data that is known only by a user that proves who they <para>Data that is known only by a user that proves who they
are. In the Identity Service, examples are:</para> are. In the Identity Service, examples are:</para>
<itemizedlist> <itemizedlist>
@ -47,67 +51,95 @@
Service</para> Service</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem>
<para><guilabel>Authentication</guilabel></para> </varlistentry>
<para>The act of confirming the identity of a user. The Identity <varlistentry>
Service confirms an incoming request by validating a set of <term><emphasis role="bold">Authentication</emphasis></term>
credentials supplied by the user. These credentials are <listitem>
initially a username and password or a username and API key. <para>The act of confirming the identity of a user. The
In response to these credentials, the Identity Service issues Identity Service confirms an incoming request by
the user an authentication token, which the user provides in validating a set of credentials supplied by the user.
subsequent requests.</para> These credentials are initially a username and password or
a username and API key. In response to these credentials,
<para><guilabel>Token</guilabel></para> the Identity Service issues the user an authentication
<para>An arbitrary bit of text that is used to access resources. token, which the user provides in subsequent
Each token has a scope which describes which resources are requests.</para>
accessible with it. A token may be revoked at anytime and is </listitem>
valid for a finite duration.</para> </varlistentry>
<varlistentry>
<term>
<emphasis role="bold">Token</emphasis></term>
<listitem>
<para>An arbitrary bit of text that is used to access
resources. Each token has a scope which describes which
resources are accessible with it. A token may be revoked
at anytime and is valid for a finite duration.</para>
<para>While the Identity Service supports token-based <para>While the Identity Service supports token-based
authentication in this release, the intention is for it to authentication in this release, the intention is for it to
support additional protocols in the future. The intent is for support additional protocols in the future. The intent is
it to be an integration service foremost, and not aspire to be for it to be an integration service foremost, and not
a full-fledged identity store and management solution.</para> aspire to be a full-fledged identity store and management
solution.</para>
<para><guilabel>Tenant</guilabel></para> </listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Tenant</emphasis></term>
<listitem>
<para>A container used to group or isolate resources and/or <para>A container used to group or isolate resources and/or
identity objects. Depending on the service operator, a tenant identity objects. Depending on the service operator, a
may map to a customer, account, organization, or tenant may map to a customer, account, organization, or
project.</para> project.</para>
</listitem>
<para><guilabel>Service</guilabel></para> </varlistentry>
<varlistentry>
<term>
<emphasis role="bold">Service</emphasis></term>
<listitem>
<para>An OpenStack service, such as Compute (Nova), Object <para>An OpenStack service, such as Compute (Nova), Object
Storage (Swift), or Image Service (Glance). Provides one or Storage (Swift), or Image Service (Glance). Provides one
more endpoints through which users can access resources and or more endpoints through which users can access resources
perform operations.</para> and perform operations.</para>
</listitem>
<para><guilabel>Endpoint</guilabel></para> </varlistentry>
<para>An network-accessible address, usually described by URL, <varlistentry>
from where you access a service. If using an extension for <term><emphasis role="bold">Endpoint</emphasis></term>
templates, you can create an endpoint template, which <listitem>
represents the templates of all the consumable services that <para>An network-accessible address, usually described by
are available across the regions.</para> URL, from where you access a service. If using an
extension for templates, you can create an endpoint
<para><guilabel>Role</guilabel></para> template, which represents the templates of all the
consumable services that are available across the
regions.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Role</emphasis></term>
<listitem>
<para>A personality that a user assumes that enables them to <para>A personality that a user assumes that enables them to
perform a specific set of operations. A role includes a set of perform a specific set of operations. A role includes a
rights and privileges. A user assuming that role inherits set of rights and privileges. A user assuming that role
those rights and privileges.</para> inherits those rights and privileges.</para>
<para>In the Identity Service, a token that is issued to a user <para>In the Identity Service, a token that is issued to a
includes the list of roles that user can assume. Services that user includes the list of roles that user can assume.
are being called by that user determine how they interpret the Services that are being called by that user determine how
set of roles a user has and which operations or resources each they interpret the set of roles a user has and which
role grants access to.</para> operations or resources each role grants access to.</para>
<figure> <figure>
<title>Keystone Authentication</title> <title>Keystone Authentication</title>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata fileref="figures/image19.png"/> <imagedata fileref="figures/image19.png" contentwidth="4in" scale="50" width="4in"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</figure> </figure>
</listitem>
<para><guilabel>User management</guilabel></para> </varlistentry>
<para>The main components of Identity user management are:</para> <varlistentry>
<term>
<emphasis role="bold">User management</emphasis></term>
<listitem>
<para>The main components of Identity user management
are:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Users</para> <para>Users</para>
@ -120,49 +152,61 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>A user represents a human user, and has associated <para>A user represents a human user, and has associated
information such as username, password and email. This example information such as username, password and email. This
creates a user named "alice":</para> example creates a user named "alice":</para>
<para>$ keystone user-create --name=alice --pass=mypassword123 <screen><prompt>$</prompt> <userinput>keystone user-create --name=alice --pass=mypassword123 --email=alice@example.com</userinput></screen>
--email=alice@example.com</para> <para>A tenant can be a project, group, or organization.
<para>A tenantcan be a project, group, or organization. Whenever Whenever you make requests to OpenStack services, you must
you make requests to OpenStack services, you must specify a specify a tenant. For example, if you query the Compute
tenant. For example, if you query the Compute service for a list service for a list of running instances, you get a list of
of running instances, you will receive a list of all of the all running instances for the specified tenant. This
running instances in the tenant you specified in your query. example creates a tenant named "acme":</para>
This example creates a tenant named "acme":</para> <screen><prompt>$</prompt> <userinput>keystone tenant-create --name=acme</userinput></screen>
<para>$ keystone tenant-create --name=acmeA rolecaptures what <para>A role captures what operations a user is permitted to
operations a user is permitted to perform in a given tenant. perform in a given tenant. This example creates a role
This example creates a role named "compute-user":</para> named "compute-user":</para>
<para>$ keystone role-create --name=compute-userThe Identity <screen><prompt>$</prompt> <userinput>keystone role-create --name=compute-user</userinput></screen>
service associates a user with a tenant and a role. To continue <para>The Identity service associates a user with a tenant
with our previous examples, we may wish to assign the "alice" and a role. To continue with our previous examples, we may
user the "compute-user" role in the "acme" tenant:</para> wish to assign the "alice" user the "compute-user" role in
<para>$ keystone user-list</para> the "acme" tenant:</para>
<para>$ keystone user-role-add --user=892585 --role=9a764e <screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
--tenant-id=6b8fd2</para> <screen><prompt>$</prompt> <userinput>keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2</userinput></screen>
<para>A user can be assigned different roles in different tenants: <para>A user can be assigned different roles in different
for example, Alice may also have the "admin" role in the tenants. For example, Alice may also have the "admin" role
"Cyberdyne" tenant. A user can also be assigned multiple roles in the "Cyberdyne" tenant. A user can also be assigned
in the same tenant.</para> multiple roles in the same tenant.</para>
<para>The /etc/[SERVICE_CODENAME]/policy.json controls what users <para>The
are allowed to do for a given service. For example, <filename>/etc/[SERVICE_CODENAME]/policy.json</filename>
/etc/nova/policy.json specifies the access policy for the file controls what users are allowed to do for a given
Compute service, /etc/glance/policy.json specifies the access service. For example,
policy for the Image service, and /etc/keystone/policy.json <filename>/etc/nova/policy.json</filename> specifies the
specifies the access policy for the Identity service.</para> access policy for the Compute service,
<para>The default policy.json files in the Compute, Identity, and <filename>/etc/glance/policy.json</filename> specifies
Image service recognize only the admin role: all operations that the access policy for the Image service, and
do not require the admin role will be accessible by any user <filename>/etc/keystone/policy.json</filename> specifies
that has any role in a tenant.</para> the access policy for the Identity service.</para>
<para>If you wish to restrict users from performing operations in, <para>The default policy.json files in the Compute,
say, the Compute service, you need to create a role in the Identity, and Image service recognize only the admin role:
Identity service and then modify /etc/nova/policy.json so that all operations that do not require the admin role will be
this role is required for Compute operations.</para> accessible by any user that has any role in a
<para>For example, this line in /etc/nova/policy.json specifies tenant.</para>
<para>If you wish to restrict users from performing
operations in, say, the Compute service, you need to
create a role in the Identity service and then modify
<filename>/etc/nova/policy.json</filename> so that this
role is required for Compute operations.</para>
<para>For example, this line in
<filename>/etc/nova/policy.json</filename> specifies
that there are no restrictions on which users can create that there are no restrictions on which users can create
volumes: if the user has any role in a tenant, they will be able volumes: if the user has any role in a tenant, they will
to create volumes in that tenant.</para> be able to create volumes in that tenant.</para>
<para><guilabel>Service Management</guilabel></para> </listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Service
Management</emphasis></term>
<listitem>
<para>The Identity Service provides the following service <para>The Identity Service provides the following service
management functions:</para> management functions:</para>
<itemizedlist> <itemizedlist>
@ -173,10 +217,14 @@
<para>Endpoints</para> <para>Endpoints</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>The Identity Service also maintains a user that corresponds <para>The Identity Service also maintains a user that
to each service (such as, a user named nova, for the Compute corresponds to each service, such as a user named nova,
service) and a special service tenant, which is called for the Compute service) and a special service tenant,
service.</para> which is called service.</para>
<para>The commands for creating services and endpoints are <para>The commands for creating services and endpoints are
described in a later section.</para> described in a later section.</para>
</listitem>
</varlistentry>
</variablelist>
<!-- </section>-->
</chapter> </chapter>