Updates Identity service information in the Get Started with OpenStack chapter and moves Identity concepts information to the Identity Management chapter. Change-Id: Icdffc456a258cc16a2ced8743897f8c647b997b9 Closes-Bug: #1239308
1.9 KiB
OpenStack Identity
The OpenStack Identity service <Identity>
provides a single
point of integration for managing authentication, authorization, and
service catalog services. Other OpenStack services use the Identity
service as a common unified API. Additionally, services that provide
information about users but that are not included in OpenStack (such as
LDAP services) can be integrated into a pre-existing infrastructure.
In order to benefit from the Identity service, other OpenStack services need to collaborate with it. When an OpenStack service receives a request from a user, it checks with the Identity service whether the user is authorized to make the request.
The Identity service contains these components:
- Server
-
A centralized server provides authentication and authorization services using a RESTful interface.
- Drivers
-
Drivers or a service back end are integrated to the centralized server, and are used for accessing identity information in repositories, external to OpenStack, and maybe already existing in the infrastructure where OpenStack is deployed (for example, SQL databases or LDAP servers).
- Modules
-
Middleware modules run in the address space of the OpenStack component that is using the Identity service. These modules intercept service requests, extract user credentials, and send them to the centralized server for authorization. The integration between the middleware modules and OpenStack components uses the Python Web Server Gateway Interface.
When installing OpenStack Identity service, you must register each service in your OpenStack installation. Identity service can then track which OpenStack services are installed, and where they are located on the network.
The following diagram shows the OpenStack Identity process flow: