openstack/openstack-manuals
Code Issues Proposed changes

cleaned up module001-ch007-keystone-arch keystone-arch

Browse Source 
added space between user and represents
added space between tenant and can

Change-Id: I8fc350d66fed9f0ecdcdf0daa456e1e91396d545
This commit is contained in:
Shilla Saebi 2014-01-21 22:46:51 -05:00 committed by Diane Fleming
parent b362824b7c
commit 23af173c1b
1 changed files with 207 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

366
doc/training-guides/module001-ch007-keystone-arch.xml
View File

@ -1,14 +1,13 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<chapter xmlns="http://docbook.org/ns/docbook" <chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
version="5.0"
xml:id="module001-ch007-keystone-arch"> xml:id="module001-ch007-keystone-arch">
<title>Keystone Architecture</title> <title>Keystone Architecture</title>
<para>More Content To be Added ...</para> <!--<para>More Content To be Added ...</para>
<section xml:id="module001-ch007-keystone-arch-concepts">
<para><guilabel>Identity Service Concepts</guilabel></para> <title>Identity Service Concepts</title> -->
<para>The Identity service performs the following <para>The Identity service performs these
functions:</para> functions:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -20,163 +19,212 @@
services with their API endpoints.</para> services with their API endpoints.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>To understand the Identity Service, you must understand the <para>To understand the Identity Service, you must understand these concepts:</para>
following concepts:</para> <variablelist wordsize="10">
<varlistentry>
<para><guilabel>User</guilabel></para> <term><emphasis role="bold">User</emphasis></term>
<para>Digital representation of a person, system, or service who
uses OpenStack cloud services. Identity authentication
services will validate that incoming request are being made by
the user who claims to be making the call. Users have a login
and may be assigned tokens to access resources. Users may be
directly assigned to a particular tenant and behave as if they
are contained in that tenant.</para>
<para><guilabel>Credentials</guilabel></para>
<para>Data that is known only by a user that proves who they
are. In the Identity Service, examples are:</para>
<itemizedlist>
<listitem> <listitem>
<para>Username and password</para> <para>Digital representation of a person, system, or service
who uses OpenStack cloud services. Identity authentication
services will validate that incoming request are being
made by the user who claims to be making the call. Users
have a login and may be assigned tokens to access
resources. Users may be directly assigned to a particular
tenant and behave as if they are contained in that
tenant.</para>
</listitem> </listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Credentials</emphasis></term>
<listitem> <listitem>
<para>Username and API key</para> <para>Data that is known only by a user that proves who they
are. In the Identity Service, examples are:</para>
<itemizedlist>
<listitem>
<para>Username and password</para>
</listitem>
<listitem>
<para>Username and API key</para>
</listitem>
<listitem>
<para>An authentication token provided by the Identity
Service</para>
</listitem>
</itemizedlist>
</listitem> </listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Authentication</emphasis></term>
<listitem> <listitem>
<para>An authentication token provided by the Identity <para>The act of confirming the identity of a user. The
Service</para> Identity Service confirms an incoming request by
validating a set of credentials supplied by the user.
These credentials are initially a username and password or
a username and API key. In response to these credentials,
the Identity Service issues the user an authentication
token, which the user provides in subsequent
requests.</para>
</listitem> </listitem>
</itemizedlist> </varlistentry>
<varlistentry>
<para><guilabel>Authentication</guilabel></para> <term>
<para>The act of confirming the identity of a user. The Identity <emphasis role="bold">Token</emphasis></term>
Service confirms an incoming request by validating a set of <listitem>
credentials supplied by the user. These credentials are <para>An arbitrary bit of text that is used to access
initially a username and password or a username and API key. resources. Each token has a scope which describes which
In response to these credentials, the Identity Service issues resources are accessible with it. A token may be revoked
the user an authentication token, which the user provides in at anytime and is valid for a finite duration.</para>
subsequent requests.</para> <para>While the Identity Service supports token-based
authentication in this release, the intention is for it to
<para><guilabel>Token</guilabel></para> support additional protocols in the future. The intent is
<para>An arbitrary bit of text that is used to access resources. for it to be an integration service foremost, and not
Each token has a scope which describes which resources are aspire to be a full-fledged identity store and management
accessible with it. A token may be revoked at anytime and is solution.</para>
valid for a finite duration.</para> </listitem>
<para>While the Identity Service supports token-based </varlistentry>
authentication in this release, the intention is for it to <varlistentry>
support additional protocols in the future. The intent is for <term><emphasis role="bold">Tenant</emphasis></term>
it to be an integration service foremost, and not aspire to be <listitem>
a full-fledged identity store and management solution.</para> <para>A container used to group or isolate resources and/or
identity objects. Depending on the service operator, a
<para><guilabel>Tenant</guilabel></para> tenant may map to a customer, account, organization, or
<para>A container used to group or isolate resources and/or project.</para>
identity objects. Depending on the service operator, a tenant </listitem>
may map to a customer, account, organization, or </varlistentry>
project.</para> <varlistentry>
<term>
<para><guilabel>Service</guilabel></para> <emphasis role="bold">Service</emphasis></term>
<para>An OpenStack service, such as Compute (Nova), Object <listitem>
Storage (Swift), or Image Service (Glance). Provides one or <para>An OpenStack service, such as Compute (Nova), Object
more endpoints through which users can access resources and Storage (Swift), or Image Service (Glance). Provides one
perform operations.</para> or more endpoints through which users can access resources
and perform operations.</para>
<para><guilabel>Endpoint</guilabel></para> </listitem>
<para>An network-accessible address, usually described by URL, </varlistentry>
from where you access a service. If using an extension for <varlistentry>
templates, you can create an endpoint template, which <term><emphasis role="bold">Endpoint</emphasis></term>
represents the templates of all the consumable services that <listitem>
are available across the regions.</para> <para>An network-accessible address, usually described by
URL, from where you access a service. If using an
<para><guilabel>Role</guilabel></para> extension for templates, you can create an endpoint
<para>A personality that a user assumes that enables them to template, which represents the templates of all the
perform a specific set of operations. A role includes a set of consumable services that are available across the
rights and privileges. A user assuming that role inherits regions.</para>
those rights and privileges.</para> </listitem>
<para>In the Identity Service, a token that is issued to a user </varlistentry>
includes the list of roles that user can assume. Services that <varlistentry>
are being called by that user determine how they interpret the <term><emphasis role="bold">Role</emphasis></term>
set of roles a user has and which operations or resources each <listitem>
role grants access to.</para> <para>A personality that a user assumes that enables them to
<figure> perform a specific set of operations. A role includes a
<title>Keystone Authentication</title> set of rights and privileges. A user assuming that role
<mediaobject> inherits those rights and privileges.</para>
<imageobject> <para>In the Identity Service, a token that is issued to a
<imagedata fileref="figures/image19.png"/> user includes the list of roles that user can assume.
</imageobject> Services that are being called by that user determine how
</mediaobject> they interpret the set of roles a user has and which
</figure> operations or resources each role grants access to.</para>
<figure>
<para><guilabel>User management</guilabel></para> <title>Keystone Authentication</title>
<para>The main components of Identity user management are:</para> <mediaobject>
<itemizedlist> <imageobject>
<listitem> <imagedata fileref="figures/image19.png" contentwidth="4in" scale="50" width="4in"/>
<para>Users</para> </imageobject>
</listitem> </mediaobject>
<listitem> </figure>
<para>Tenants</para> </listitem>
</listitem> </varlistentry>
<listitem> <varlistentry>
<para>Roles</para> <term>
</listitem> <emphasis role="bold">User management</emphasis></term>
</itemizedlist> <listitem>
<para>A userrepresents a human user, and has associated <para>The main components of Identity user management
information such as username, password and email. This example are:</para>
creates a user named "alice":</para> <itemizedlist>
<para>$ keystone user-create --name=alice --pass=mypassword123 <listitem>
--email=alice@example.com</para> <para>Users</para>
<para>A tenantcan be a project, group, or organization. Whenever </listitem>
you make requests to OpenStack services, you must specify a <listitem>
tenant. For example, if you query the Compute service for a list <para>Tenants</para>
of running instances, you will receive a list of all of the </listitem>
running instances in the tenant you specified in your query. <listitem>
This example creates a tenant named "acme":</para> <para>Roles</para>
<para>$ keystone tenant-create --name=acmeA rolecaptures what </listitem>
operations a user is permitted to perform in a given tenant. </itemizedlist>
This example creates a role named "compute-user":</para> <para>A user represents a human user, and has associated
<para>$ keystone role-create --name=compute-userThe Identity information such as username, password and email. This
service associates a user with a tenant and a role. To continue example creates a user named "alice":</para>
with our previous examples, we may wish to assign the "alice" <screen><prompt>$</prompt> <userinput>keystone user-create --name=alice --pass=mypassword123 --email=alice@example.com</userinput></screen>
user the "compute-user" role in the "acme" tenant:</para> <para>A tenant can be a project, group, or organization.
<para>$ keystone user-list</para> Whenever you make requests to OpenStack services, you must
<para>$ keystone user-role-add --user=892585 --role=9a764e specify a tenant. For example, if you query the Compute
--tenant-id=6b8fd2</para> service for a list of running instances, you get a list of
<para>A user can be assigned different roles in different tenants: all running instances for the specified tenant. This
for example, Alice may also have the "admin" role in the example creates a tenant named "acme":</para>
"Cyberdyne" tenant. A user can also be assigned multiple roles <screen><prompt>$</prompt> <userinput>keystone tenant-create --name=acme</userinput></screen>
in the same tenant.</para> <para>A role captures what operations a user is permitted to
<para>The /etc/[SERVICE_CODENAME]/policy.json controls what users perform in a given tenant. This example creates a role
are allowed to do for a given service. For example, named "compute-user":</para>
/etc/nova/policy.json specifies the access policy for the <screen><prompt>$</prompt> <userinput>keystone role-create --name=compute-user</userinput></screen>
Compute service, /etc/glance/policy.json specifies the access <para>The Identity service associates a user with a tenant
policy for the Image service, and /etc/keystone/policy.json and a role. To continue with our previous examples, we may
specifies the access policy for the Identity service.</para> wish to assign the "alice" user the "compute-user" role in
<para>The default policy.json files in the Compute, Identity, and the "acme" tenant:</para>
Image service recognize only the admin role: all operations that <screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
do not require the admin role will be accessible by any user <screen><prompt>$</prompt> <userinput>keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2</userinput></screen>
that has any role in a tenant.</para> <para>A user can be assigned different roles in different
<para>If you wish to restrict users from performing operations in, tenants. For example, Alice may also have the "admin" role
say, the Compute service, you need to create a role in the in the "Cyberdyne" tenant. A user can also be assigned
Identity service and then modify /etc/nova/policy.json so that multiple roles in the same tenant.</para>
this role is required for Compute operations.</para> <para>The
<para>For example, this line in /etc/nova/policy.json specifies <filename>/etc/[SERVICE_CODENAME]/policy.json</filename>
that there are no restrictions on which users can create file controls what users are allowed to do for a given
volumes: if the user has any role in a tenant, they will be able service. For example,
to create volumes in that tenant.</para> <filename>/etc/nova/policy.json</filename> specifies the
<para><guilabel>Service Management</guilabel></para> access policy for the Compute service,
<para>The Identity Service provides the following service <filename>/etc/glance/policy.json</filename> specifies
management functions:</para> the access policy for the Image service, and
<itemizedlist> <filename>/etc/keystone/policy.json</filename> specifies
<listitem> the access policy for the Identity service.</para>
<para>Services</para> <para>The default policy.json files in the Compute,
</listitem> Identity, and Image service recognize only the admin role:
<listitem> all operations that do not require the admin role will be
<para>Endpoints</para> accessible by any user that has any role in a
</listitem> tenant.</para>
</itemizedlist> <para>If you wish to restrict users from performing
<para>The Identity Service also maintains a user that corresponds operations in, say, the Compute service, you need to
to each service (such as, a user named nova, for the Compute create a role in the Identity service and then modify
service) and a special service tenant, which is called <filename>/etc/nova/policy.json</filename> so that this
service.</para> role is required for Compute operations.</para>
<para>The commands for creating services and endpoints are <para>For example, this line in
described in a later section.</para> <filename>/etc/nova/policy.json</filename> specifies
that there are no restrictions on which users can create
volumes: if the user has any role in a tenant, they will
be able to create volumes in that tenant.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Service
Management</emphasis></term>
<listitem>
<para>The Identity Service provides the following service
management functions:</para>
<itemizedlist>
<listitem>
<para>Services</para>
</listitem>
<listitem>
<para>Endpoints</para>
</listitem>
</itemizedlist>
<para>The Identity Service also maintains a user that
corresponds to each service, such as a user named nova,
for the Compute service) and a special service tenant,
which is called service.</para>
<para>The commands for creating services and endpoints are
described in a later section.</para>
</listitem>
</varlistentry>
</variablelist>
<!-- </section>-->
</chapter> </chapter>