Editing Keystone Services
Edited the document for clarity: addressed punctuation points in the keystone services section, and also added edits to clarify the Identity Concepts section. Moved Content from the Keystone Services section to the Identity Concepts Section. Change-Id: I94d21ba16f89ea2ba12166bab3f6893091bccbbf Implements: blueprint installation-guide-improvements
This commit is contained in:
parent
726fa1da31
commit
ca395c88ec
@ -16,8 +16,12 @@
|
|||||||
endpoints.</para>
|
endpoints.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
<para>When installing OpenStack Identity service, you must register
|
||||||
|
each service in your OpenStack installation. Identity service
|
||||||
|
can then track which OpenStack services are installed, and
|
||||||
|
where they are located on the network.</para>
|
||||||
<para>To understand OpenStack Identity, you must understand the
|
<para>To understand OpenStack Identity, you must understand the
|
||||||
following concepts:</para>
|
following concepts:</para>
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>User</term>
|
<term>User</term>
|
||||||
@ -35,10 +39,10 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>Credentials</term>
|
<term>Credentials</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Data that confirms the user's identity. For example, user
|
<para>Data that confirms the user's identity. For
|
||||||
name and password; user name and API key; or an
|
example: user name and password, user name and API
|
||||||
authentication token provided by the Identity
|
key, or an authentication token provided by the
|
||||||
Service.</para>
|
Identity Service.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
@ -49,7 +53,7 @@
|
|||||||
by validating a set of credentials supplied by the
|
by validating a set of credentials supplied by the
|
||||||
user.</para>
|
user.</para>
|
||||||
<para>These credentials are initially a user name and
|
<para>These credentials are initially a user name and
|
||||||
password; or a user name and API key. When user
|
password, or a user name and API key. When user
|
||||||
credentials are validated, OpenStack Identity issues an
|
credentials are validated, OpenStack Identity issues an
|
||||||
authentication token which the user provides in subsequent
|
authentication token which the user provides in subsequent
|
||||||
requests.</para>
|
requests.</para>
|
||||||
@ -58,34 +62,34 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>Token</term>
|
<term>Token</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>An arbitrary bit of text that is used to access
|
<para>An alpha-numeric string of text used to access
|
||||||
resources. Each token has information which defines
|
OpenStack APIs and resources. A token may be
|
||||||
access to resources. A token may be revoked at any time
|
revoked at any time and is valid for a
|
||||||
and is valid for a finite duration.</para>
|
finite duration.</para>
|
||||||
<para>While OpenStack Identity supports token-based
|
<para>While OpenStack Identity supports token-based
|
||||||
authentication in this release, the intention is
|
authentication in this release, the intention is
|
||||||
to support additional protocols in the future. Its main
|
to support additional protocols in the future.
|
||||||
purpose is to be an integration service, and not aspire to
|
Its main purpose is to be an integration service,
|
||||||
be a full-fledged identity store and management
|
and not aspire to be a full-fledged identity store
|
||||||
solution.</para>
|
and management solution.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>Tenant</term>
|
<term>Tenant</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A container used to group or isolate resources
|
<para>A container used to group or isolate resources.
|
||||||
and/or identity objects. Depending on the service
|
Tenants also group or isolate identity objects.
|
||||||
operator, a tenant may map to a customer, account,
|
Depending on the service operator, a tenant may map
|
||||||
organization, or project.</para>
|
to a customer, account, organization, or project.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>Service</term>
|
<term>Service</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>An OpenStack service, such as Compute (nova),
|
<para>An OpenStack service, such as Compute (nova),
|
||||||
Object Storage (swift), or Image Service (glance). It
|
Object Storage (swift), or Image Service (glance).
|
||||||
provides one or more endpoints through which users can
|
It provides one or more endpoints in which
|
||||||
access resources and perform operations.</para>
|
users can access resources and perform operations.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
@ -110,6 +114,17 @@
|
|||||||
resources each role grants access.</para>
|
resources each role grants access.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>Keystone Client</term>
|
||||||
|
<listitem>
|
||||||
|
<para>A command line interface for the OpenStack
|
||||||
|
Identity API. For example, users can run the
|
||||||
|
<command>keystone service-create</command> and
|
||||||
|
<command>keystone endpoint-create</command> commands
|
||||||
|
to register services in their OpenStack
|
||||||
|
installations.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
<para>The following diagram shows the OpenStack Identity process
|
<para>The following diagram shows the OpenStack Identity process
|
||||||
flow:</para>
|
flow:</para>
|
||||||
@ -117,12 +132,12 @@
|
|||||||
<imageobject role="fo">
|
<imageobject role="fo">
|
||||||
<imagedata
|
<imagedata
|
||||||
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
||||||
format="PNG" scale="40"/>
|
format="PNG" contentwidth="6in"/>
|
||||||
</imageobject>
|
</imageobject>
|
||||||
<imageobject role="html">
|
<imageobject role="html">
|
||||||
<imagedata
|
<imagedata
|
||||||
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
||||||
format="PNG" scale="10"/>
|
format="PNG" contentwidth="6in"/>
|
||||||
</imageobject>
|
</imageobject>
|
||||||
</mediaobject>
|
</mediaobject>
|
||||||
</section>
|
</section>
|
||||||
|
@ -2,25 +2,12 @@
|
|||||||
xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="keystone-services"
|
xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="keystone-services"
|
||||||
version="5.0" os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
version="5.0" os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
||||||
<title>Define services and API endpoints</title>
|
<title>Define services and API endpoints</title>
|
||||||
<para>So that the Identity Service can track which OpenStack services are
|
|
||||||
installed and where they are located on the network, you must register each
|
|
||||||
service in your OpenStack installation. To register a service, run these
|
|
||||||
commands:</para>
|
|
||||||
<itemizedlist>
|
|
||||||
<listitem>
|
|
||||||
<para><command>keystone service-create</command>. Describes the
|
|
||||||
service.</para>
|
|
||||||
</listitem>
|
|
||||||
<listitem>
|
|
||||||
<para><command>keystone endpoint-create</command>. Associates
|
|
||||||
<glossterm baseform="API endpoint">API endpoints</glossterm>
|
|
||||||
with the service.</para>
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
|
||||||
<para>You must also register the Identity Service itself. Use the
|
|
||||||
<code>OS_SERVICE_TOKEN</code> environment variable, as set previously, for
|
|
||||||
authentication.</para>
|
|
||||||
<procedure>
|
<procedure>
|
||||||
|
<step>
|
||||||
|
<para>Register the identity service itself using the
|
||||||
|
<code>OS_SERVICE_TOKEN</code> environment variable, as set
|
||||||
|
previously, for authentication.</para>
|
||||||
|
</step>
|
||||||
<step>
|
<step>
|
||||||
<para>Create a service entry for the Identity Service:</para>
|
<para>Create a service entry for the Identity Service:</para>
|
||||||
<screen><prompt>$</prompt> <userinput>keystone service-create --name=keystone --type=identity \
|
<screen><prompt>$</prompt> <userinput>keystone service-create --name=keystone --type=identity \
|
||||||
@ -33,15 +20,16 @@
|
|||||||
| name | keystone |
|
| name | keystone |
|
||||||
| type | identity |
|
| type | identity |
|
||||||
+-------------+----------------------------------+</computeroutput></screen>
|
+-------------+----------------------------------+</computeroutput></screen>
|
||||||
<para>The service ID is randomly generated and is different from the one
|
<para>The service ID is randomly generated and is different from
|
||||||
shown here.</para>
|
the one shown here.</para>
|
||||||
</step>
|
</step>
|
||||||
<step>
|
<step>
|
||||||
<para>Specify an API endpoint for the Identity Service by using the
|
<para>Specify an API endpoint for the Identity Service by using
|
||||||
returned service ID. When you specify an endpoint, you provide URLs for
|
the returned service ID. When you specify an endpoint, you
|
||||||
the public API, internal API, and admin API. In this guide, the
|
provide URLs for the public API, internal API, and admin API.
|
||||||
<literal>controller</literal> host name is used. Note that the
|
In this guide, the <literal>controller</literal> host name is
|
||||||
Identity Service uses a different port for the admin API.</para>
|
used. Note that the Identity Service uses a different port for
|
||||||
|
the admin API.</para>
|
||||||
<screen><prompt>$</prompt> <userinput>keystone endpoint-create \
|
<screen><prompt>$</prompt> <userinput>keystone endpoint-create \
|
||||||
--service-id=$(keystone service-list | awk '/ identity / {print $2}') \
|
--service-id=$(keystone service-list | awk '/ identity / {print $2}') \
|
||||||
--publicurl=http://<replaceable>controller</replaceable>:5000/v2.0 \
|
--publicurl=http://<replaceable>controller</replaceable>:5000/v2.0 \
|
||||||
@ -61,10 +49,10 @@
|
|||||||
</procedure>
|
</procedure>
|
||||||
<note>
|
<note>
|
||||||
<para>
|
<para>
|
||||||
You will need to create an additional endpoint for each service added to
|
You will need to create an additional endpoint for each service
|
||||||
your OpenStack environment. The sections of this guide associated with
|
added to your OpenStack environment. The sections of this guide
|
||||||
the installation of each service include the endpoint creation step
|
associated with the installation of each service include the
|
||||||
specific to the service.
|
endpoint creation step specific to the service.
|
||||||
</para>
|
</para>
|
||||||
</note>
|
</note>
|
||||||
</section>
|
</section>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user