ca395c88ec
Edited the document for clarity: addressed punctuation points in the keystone services section, and also added edits to clarify the Identity Concepts section. Moved Content from the Keystone Services section to the Identity Concepts Section. Change-Id: I94d21ba16f89ea2ba12166bab3f6893091bccbbf Implements: blueprint installation-guide-improvements
144 lines
6.5 KiB
XML
144 lines
6.5 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="keystone-concepts">
|
|
<?dbhtml stop-chunking?>
|
|
<title>OpenStack Identity concepts</title>
|
|
<para>The OpenStack<glossterm>Identity Service</glossterm> performs the
|
|
following functions:</para>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>Tracking users and their permissions.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Providing a catalog of available services with their API
|
|
endpoints.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>When installing OpenStack Identity service, you must register
|
|
each service in your OpenStack installation. Identity service
|
|
can then track which OpenStack services are installed, and
|
|
where they are located on the network.</para>
|
|
<para>To understand OpenStack Identity, you must understand the
|
|
following concepts:</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>User</term>
|
|
<listitem>
|
|
<para>Digital representation of a person, system, or
|
|
service who uses OpenStack cloud services. The
|
|
Identity service validates that incoming requests
|
|
are made by the user who claims to be making the
|
|
call. Users have a login and may be assigned
|
|
tokens to access resources. Users can be directly
|
|
assigned to a particular tenant and behave as if
|
|
they are contained in that tenant.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Credentials</term>
|
|
<listitem>
|
|
<para>Data that confirms the user's identity. For
|
|
example: user name and password, user name and API
|
|
key, or an authentication token provided by the
|
|
Identity Service.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Authentication</term>
|
|
<listitem>
|
|
<para>The process of confirming the identity of a user.
|
|
OpenStack Identity confirms an incoming request
|
|
by validating a set of credentials supplied by the
|
|
user.</para>
|
|
<para>These credentials are initially a user name and
|
|
password, or a user name and API key. When user
|
|
credentials are validated, OpenStack Identity issues an
|
|
authentication token which the user provides in subsequent
|
|
requests.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Token</term>
|
|
<listitem>
|
|
<para>An alpha-numeric string of text used to access
|
|
OpenStack APIs and resources. A token may be
|
|
revoked at any time and is valid for a
|
|
finite duration.</para>
|
|
<para>While OpenStack Identity supports token-based
|
|
authentication in this release, the intention is
|
|
to support additional protocols in the future.
|
|
Its main purpose is to be an integration service,
|
|
and not aspire to be a full-fledged identity store
|
|
and management solution.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Tenant</term>
|
|
<listitem>
|
|
<para>A container used to group or isolate resources.
|
|
Tenants also group or isolate identity objects.
|
|
Depending on the service operator, a tenant may map
|
|
to a customer, account, organization, or project.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Service</term>
|
|
<listitem>
|
|
<para>An OpenStack service, such as Compute (nova),
|
|
Object Storage (swift), or Image Service (glance).
|
|
It provides one or more endpoints in which
|
|
users can access resources and perform operations.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Endpoint</term>
|
|
<listitem>
|
|
<para>A network-accessible address where you access a service,
|
|
usually a URL address. If you are using an extension for
|
|
templates, an endpoint template can be created, which
|
|
represents the templates of all the consumable services
|
|
that are available across the regions.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Role</term>
|
|
<listitem>
|
|
<para>A personality with a defined set of user rights and
|
|
privileges to perform a specific set of operations.</para>
|
|
<para>In the Identity service, a token that is issued
|
|
to a user includes the list of roles. Services that are
|
|
being called by that user determine how they interpret the
|
|
set of roles a user has and to which operations or
|
|
resources each role grants access.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Keystone Client</term>
|
|
<listitem>
|
|
<para>A command line interface for the OpenStack
|
|
Identity API. For example, users can run the
|
|
<command>keystone service-create</command> and
|
|
<command>keystone endpoint-create</command> commands
|
|
to register services in their OpenStack
|
|
installations.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<para>The following diagram shows the OpenStack Identity process
|
|
flow:</para>
|
|
<mediaobject>
|
|
<imageobject role="fo">
|
|
<imagedata
|
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
|
format="PNG" contentwidth="6in"/>
|
|
</imageobject>
|
|
<imageobject role="html">
|
|
<imagedata
|
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
|
format="PNG" contentwidth="6in"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</section>
|