145 lines
6.5 KiB
XML
145 lines
6.5 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="keystone-concepts">
|
|
<?dbhtml stop-chunking?>
|
|
<title>OpenStack Identity</title>
|
|
<para>The OpenStack <glossterm>Identity Service</glossterm> performs the
|
|
following functions:</para>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>Tracking users and their permissions.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Providing a catalog of available services with their API
|
|
endpoints.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>When installing OpenStack Identity service, you must register
|
|
each service in your OpenStack installation. Identity service
|
|
can then track which OpenStack services are installed, and
|
|
where they are located on the network.</para>
|
|
<para>To understand OpenStack Identity, you must understand the
|
|
following concepts:</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>User</term>
|
|
<listitem>
|
|
<para>Digital representation of a person, system, or
|
|
service who uses OpenStack cloud services. The
|
|
Identity service validates that incoming requests
|
|
are made by the user who claims to be making the
|
|
call. Users have a login and may be assigned
|
|
tokens to access resources. Users can be directly
|
|
assigned to a particular tenant and behave as if
|
|
they are contained in that tenant.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Credentials</term>
|
|
<listitem>
|
|
<para>Data that confirms the user's identity. For
|
|
example: user name and password, user name and API
|
|
key, or an authentication token provided by the
|
|
Identity Service.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Authentication</term>
|
|
<listitem>
|
|
<para>The process of confirming the identity of a user.
|
|
OpenStack Identity confirms an incoming request
|
|
by validating a set of credentials supplied by the
|
|
user.</para>
|
|
<para>These credentials are initially a user name and
|
|
password, or a user name and API key. When user
|
|
credentials are validated, OpenStack Identity issues an
|
|
authentication token which the user provides in subsequent
|
|
requests.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Token</term>
|
|
<listitem>
|
|
<para>An alpha-numeric string of text used to access
|
|
OpenStack APIs and resources. A token may be
|
|
revoked at any time and is valid for a
|
|
finite duration.</para>
|
|
<para>While OpenStack Identity supports token-based
|
|
authentication in this release, the intention is
|
|
to support additional protocols in the future.
|
|
Its main purpose is to be an integration service,
|
|
and not aspire to be a full-fledged identity store
|
|
and management solution.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Tenant</term>
|
|
<listitem>
|
|
<para>A container used to group or isolate resources.
|
|
Tenants also group or isolate identity objects.
|
|
Depending on the service operator, a tenant may map
|
|
to a customer, account, organization, or project.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Service</term>
|
|
<listitem>
|
|
<para>An OpenStack service, such as Compute (nova),
|
|
Object Storage (swift), or Image service (glance).
|
|
It provides one or more endpoints in which
|
|
users can access resources and perform operations.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Endpoint</term>
|
|
<listitem>
|
|
<para>A network-accessible address where you access a service,
|
|
usually a URL address. If you are using an extension for
|
|
templates, an endpoint template can be created, which
|
|
represents the templates of all the consumable services
|
|
that are available across the regions.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Role</term>
|
|
<listitem>
|
|
<para>A personality with a defined set of user rights and
|
|
privileges to perform a specific set of operations.</para>
|
|
<para>In the Identity service, a token that is issued
|
|
to a user includes the list of roles. Services that are
|
|
being called by that user determine how they interpret the
|
|
set of roles a user has and to which operations or
|
|
resources each role grants access.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Keystone Client</term>
|
|
<listitem>
|
|
<para>A command line interface for the OpenStack
|
|
Identity API. For example, users can run the
|
|
<command>keystone service-create</command> and
|
|
<command>keystone endpoint-create</command> commands
|
|
to register services in their OpenStack
|
|
installations.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<para>The following diagram shows the OpenStack Identity process
|
|
flow:</para>
|
|
<mediaobject>
|
|
<imageobject role="fo">
|
|
<imagedata
|
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
|
format="PNG" contentwidth="6in"/>
|
|
</imageobject>
|
|
<imageobject role="html">
|
|
<imagedata
|
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
|
format="PNG" contentwidth="6in"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</section>
|