A detailed introduction to the basic concepts of OpenStack Keystone _openstack

Understanding the basic concept of OpenStack Keystone

Keystone Introduction

Keystone (OpenStack identity Service) is the OpenStack framework for authentication, service rules, and service tokens, which implements the OpenStack identity API. Keystone is similar to a service bus, or the entire OpenStack framework registry, where other services register the endpoint of their services (the URL of the service access) through Keystone, the invocation of any service to each other, and the need for Keystone authentication. To get the target service endpoint to find the target service.

Introduction to the basic concepts of Keystone

1. User

User is users, who represent people or programs that can be accessed through Keystone. Users authenticate through authentication information (credentials, such as passwords, API keys, and so on).

2. Tenant

Tenant is the tenant, which is a collection of resources that can be accessed in each service. For example, in Nova, a tenant can be some machine, in swift and glance a tenant can be some mirrored storage, in quantum a tenant can be some network resources. Users are always bound to certain tenant by default.

3. Role

Role is the persona, roles represents a set of resource permissions that a user can access, such as a virtual machine in Nova, a mirror in glance. Users can be added to any one global or tenant role. In the global role, the user roles authority is applied to all tenants, that is, all the tenants can be executed by the function of the authority, in the role of the tenant, the user can only in the current tenant to perform the rights of role.

4. Service

Service is services, such as Nova, Glance, Swift. According to the first three concepts (user,tenant and role) a service can confirm whether the current user has permission to access its resources. But when a user tries to access the service in his tenant, he must know if the service exists and how to access the service, which usually uses a different name to represent different services. The role that is mentioned above can actually be tied to a service. For example, when Swift needs an administrator access for object creation, we do not necessarily need to have administrator access to the Nova for the same role. To achieve this goal, we should create two separate administrator role, one bound to swift and the other bound to Nova, enabling access to Swift Administrator privileges without impacting Nova or other services.

5. Endpoint

Endpoint, translated as "endpoint", we can understand that it is a service exposed to the point of access, if you need to access a service, you must know his Endpoint. Therefore, the Keystone contains a endpoint template (endpoint template, which we can see under the Conf folder when we install Keystone), which provides all the existing service endpoints information. A endpoint template contains a list of URLs, each of which corresponds to the access address of one service instance, and has three permissions such as public, private, and admin. Public URLs can be accessed globally (such as http://compute.example.com), private URLs can only be accessed by LAN (such as http://compute.example.local), admin The URL is detached from regular access.

=================== quotes Aaron's understanding =====================

Keystone inside the concept of a lot, there are: User,credentials,authentication,token,tenant,service,endpoint,role. In so many concepts, in fact, the most important is the User and tenant. Other concepts are triggered by some security and service problems.

So what is called User, tenant? Here I give a better understanding of the example. When we go to the hotel, we are the same as the User, and the hotel is tenant. This is the simplest case, the hotel value provides rooms, we only need housing.

With the subsequent improvement of living material, this phenomenon has changed. When we went to the hotel to live, many things were different, for example, to open a room for ID card, the room key is a card can be a brand, when we enter and leave the hotel to use their own keys to open the hotel door; and that is, the hotel is not only used to live, it can provide us with food, entertainment, Fitness and other services, and the different levels of service, rooms are different, the room inside the configuration is not the same degree of luxury. In this case, it is more complicated to describe the relationship between us and the hotel, which leads to some new concepts.

With this example, the various concepts in Keystone can be linked to things in the example.

User	The people who live in the hotel
Credentials	Open the key to the room
Authentication	Hotel in order to refuse unnecessary people in and out of the hotel, specially set up the mechanism, only those who have the key to access
Token	It's a key, a little special.
Tenant	Hotel
Service	Hotels can provide service categories, such as food, entertainment class
Endpoint	A specific kind of service, such as eating barbecue, playing badminton
Role	VIP level, the higher the VIP, the higher the privilege

Example of the Keystone access process in OpenStack

　　As shown above, (this paragraph does not translate, look at the picture can also understand, anyway, I did not translate the t^t) to access some service, users provide their credentials to Keystone and receive a to Ken. The token is just a string this is connected to the user and tenant internally by Keystone. This token travels between services and every user request or requests generated by a service to another service to Proce SS the user ' s request. The users find a URL of "a" service that they need. If the user, for example, wants to spawn a new VM instance in Nova, one can find a URL to Nova in the list of endpoints P Rovided by Keystone and send a appropriate request. After that, Nova verifies the validity of the token in Keystone and should create a instance from some image by the Provi Ded Image ID and plug it into some network. At the a Nova passes this token to glance to get the image stored somewhere in there. After which, it asks Quantum to plug the new instance into a network; Quantum verifies whether the user has access to the network in its own database and to theinterface of VM by requesting info in Nova. All of the way this token travels between services so, they can ask Keystone or each of other for additional information or Some actions.

Reference content:

Http://mirantis.blogspot.com/2011/09/what-is-this-keystone-anyway.html

Thank you for reading, I hope to help you, thank you for your support for this site!