e4ec1d4446
Install Guide: Add some more glossterm entries. Security Guide: Add glossterm entries for SPICE, VNC Add new entries "OpenStack", "role", "service", and "SPICE" to the glossary itself. Change-Id: Ibc93970c544012db45e47c5467145675dcef5149
146 lines
6.5 KiB
XML
146 lines
6.5 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="keystone-concepts">
|
|
<?dbhtml stop-chunking?>
|
|
<title>Identity Service concepts</title>
|
|
<para>The <glossterm>Identity Service</glossterm> performs the following
|
|
functions:</para>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>User management. Tracks users and their
|
|
permissions.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><glossterm baseform="service catalog">Service
|
|
catalog</glossterm>. Provides a catalog of available
|
|
services with their API endpoints.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>To understand the Identity Service, you must understand the
|
|
following concepts:</para>
|
|
<variablelist wordsize="10">
|
|
<varlistentry>
|
|
<term><glossterm>User</glossterm>
|
|
</term>
|
|
<listitem>
|
|
<para>Digital representation of a person, system, or
|
|
service who uses OpenStack cloud services. The
|
|
Identity Service validates that incoming requests
|
|
are made by the user who claims to be making the
|
|
call. Users have a login and may be assigned
|
|
tokens to access resources. Users can be directly
|
|
assigned to a particular tenant and behave as if
|
|
they are contained in that tenant.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><glossterm>Credentials</glossterm>
|
|
</term>
|
|
<listitem>
|
|
<para>Data that is known only by a user that proves
|
|
who they are. In the Identity Service, examples
|
|
are: User name and password, user name and API
|
|
key, or an authentication token provided by the
|
|
Identity Service.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><glossterm>Authentication</glossterm></term>
|
|
<listitem>
|
|
<para>The act of confirming the identity of a user.
|
|
The Identity Service confirms an incoming request
|
|
by validating a set of credentials supplied by the
|
|
user.</para>
|
|
<para>These credentials are initially a user name and
|
|
password or a user name and API key. In response
|
|
to these credentials, the Identity Service issues
|
|
an authentication token to the user, which the
|
|
user provides in subsequent requests.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><glossterm>Token</glossterm></term>
|
|
<listitem>
|
|
<para>An arbitrary bit of text that is used to access
|
|
resources. Each token has a scope which describes
|
|
which resources are accessible with it. A token
|
|
may be revoked at any time and is valid for a
|
|
finite duration.</para>
|
|
<para>While the Identity Service supports token-based
|
|
authentication in this release, the intention is
|
|
for it to support additional protocols in the
|
|
future. The intent is for it to be an integration
|
|
service foremost, and not aspire to be a
|
|
full-fledged identity store and management
|
|
solution.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><glossterm>Tenant</glossterm>
|
|
</term>
|
|
<listitem>
|
|
<para>A container used to group or isolate resources
|
|
and/or identity objects. Depending on the service
|
|
operator, a tenant may map to a customer, account,
|
|
organization, or project.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><glossterm>Service</glossterm>
|
|
</term>
|
|
<listitem>
|
|
<para>An OpenStack service, such as Compute (Nova),
|
|
Object Storage (Swift), or Image Service (Glance).
|
|
Provides one or more endpoints through which users
|
|
can access resources and perform
|
|
operations.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><glossterm>Endpoint</glossterm>
|
|
</term>
|
|
<listitem>
|
|
<para>A network-accessible address, usually described
|
|
by a URL, from where you access a service. If using
|
|
an extension for templates, you can create an
|
|
endpoint template, which represents the templates
|
|
of all the consumable services that are available
|
|
across the regions.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><glossterm>Role</glossterm>
|
|
</term>
|
|
<listitem>
|
|
<para>A personality that a user assumes that enables
|
|
them to perform a specific set of operations. A
|
|
role includes a set of rights and privileges. A
|
|
user assuming that role inherits those rights and
|
|
privileges.</para>
|
|
<para>In the Identity Service, a token that is issued
|
|
to a user includes the list of roles that user
|
|
has. Services that are being called by that user
|
|
determine how they interpret the set of roles a
|
|
user has and to which operations or resources each
|
|
role grants access.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<para>The following diagram shows the Identity Service process
|
|
flow:</para>
|
|
<mediaobject>
|
|
<imageobject role="fo">
|
|
<imagedata
|
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
|
format="PNG" scale="40"/>
|
|
</imageobject>
|
|
<imageobject role="html">
|
|
<imagedata
|
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
|
format="PNG" scale="10"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</section>
|