openstack-manuals/doc/common/section_keystone-concepts.xml
Rhys Oxenham c5aaf5424c Updated: About OpenStack Object Storage Document
One of the TODO entries was to provide a more comprehensive overview
of Object Storage/Swift than was already written. This is a first
attempt at making it better.

This patch also uncomments a line within the 'admin-guide-cloud' book
that doesn't reference the common 'about-object-storage' page like others
do. I've reverted this and tested thoroughly, not sure why this was there.

In addition, I updated a few other pages where they lacked certain
clarity. For example- the 'Getting Started' page provided only a very
basic overview of the components and without going into too much detail
I added further information. There were also a few English syntax changes
throughout some of the other pages.

Change-Id: I1952d9e1882fc962320304759110a2ccbc50de82
backport: havana
2013-12-14 13:08:33 +00:00

140 lines
6.4 KiB
XML

<?xml version="1.0" encoding="utf-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="keystone-concepts">
<?dbhtml stop-chunking?>
<title>Identity Service concepts</title>
<para>The Identity Service performs the following
functions:</para>
<itemizedlist spacing="compact">
<listitem>
<para>User management. Tracks users and their
permissions.</para>
</listitem>
<listitem>
<para>Service catalog. Provides a catalog of available
services with their API endpoints.</para>
</listitem>
</itemizedlist>
<para>To understand the Identity Service, you must understand the
following concepts:</para>
<variablelist wordsize="10">
<varlistentry>
<term><emphasis role="bold">User</emphasis></term>
<listitem>
<para>Digital representation of a person, system, or
service who uses OpenStack cloud services. The
Identity Service validates that incoming requests
are made by the user who claims to be making the
call. Users have a login and may be assigned
tokens to access resources. Users can be directly
assigned to a particular tenant and behave as if
they are contained in that tenant.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Credentials</emphasis></term>
<listitem>
<para>Data that is known only by a user that proves
who they are. In the Identity Service, examples
are: User name and password, user name and API
key, or an authentication token provided by the
Identity Service.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold"
>Authentication</emphasis></term>
<listitem>
<para>The act of confirming the identity of a user.
The Identity Service confirms an incoming request
by validating a set of credentials supplied by the
user.</para>
<para>These credentials are initially a user name and
password or a user name and API key. In response
to these credentials, the Identity Service issues
an authentication token to the user, which the
user provides in subsequent requests.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Token</emphasis></term>
<listitem>
<para>An arbitrary bit of text that is used to access
resources. Each token has a scope which describes
which resources are accessible with it. A token
may be revoked at any time and is valid for a
finite duration.</para>
<para>While the Identity Service supports token-based
authentication in this release, the intention is
for it to support additional protocols in the
future. The intent is for it to be an integration
service foremost, and not aspire to be a
full-fledged identity store and management
solution.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Tenant</emphasis></term>
<listitem>
<para>A container used to group or isolate resources
and/or identity objects. Depending on the service
operator, a tenant may map to a customer, account,
organization, or project.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Service</emphasis></term>
<listitem>
<para>An OpenStack service, such as Compute (Nova),
Object Storage (Swift), or Image Service (Glance).
Provides one or more endpoints through which users
can access resources and perform
operations.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Endpoint</emphasis></term>
<listitem>
<para>A network-accessible address, usually described
by a URL, from where you access a service. If using
an extension for templates, you can create an
endpoint template, which represents the templates
of all the consumable services that are available
across the regions.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">Role</emphasis></term>
<listitem>
<para>A personality that a user assumes that enables
them to perform a specific set of operations. A
role includes a set of rights and privileges. A
user assuming that role inherits those rights and
privileges.</para>
<para>In the Identity Service, a token that is issued
to a user includes the list of roles that user
has. Services that are being called by that user
determine how they interpret the set of roles a
user has and to which operations or resources each
role grants access.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The following diagram shows the Identity Service process
flow:</para>
<mediaobject>
<imageobject role="fo">
<imagedata
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
format="PNG" scale="40"/>
</imageobject>
<imageobject role="html">
<imagedata
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
format="PNG" scale="10"/>
</imageobject>
</mediaobject>
</section>