OpenStack Identity (Keystone) identity service, architecture and middleware _openstack

Source: Internet
Author: User
Tags sqlite database

The OpenStack Identity (Keystone) service provides authentication and management user, account, and role information services for OpenStack Cloud running OpenStack compute, and for OpenStack Object Storage provides authorization services.

Keystone architecture

Keystone has two main components: Authentication and Service Catalog

Validation: Provides a token-based authentication service with the following concepts:

Tenant (tenant)

An organization that uses OpenStack related services. A tenant maps to a Nova "Project-id" where a tenant can have multiple containers in an object store. Depending on the installation method, a tenant can represent a customer, account number, organization, or project.

Users (user)

Represents an individual, OpenStack the user's form to authorize the service to them. The user owns the certificate (credentials) and may be assigned to one or more tenants. After verification, a specific token is provided for each individual tenant.

Certificate (Credentials)

In order to provide a token to the user, a certificate is required to uniquely identify a Keystone user's password or other information

Token (token)

A token is the text of an arbitrary bit that is used to share information with other OpenStack services, Keystone to provide a location to authenticate the user accessing the OpenStack service. A token can be "scoped" or "unscoped". A scoped token represents a user that has been authenticated for a tenant, while the unscoped token represents only one user. The validity period of the token is limited and can be withdrawn at any time.

Roles (role)

A role is a collection of usage rights that is applied to a tenant to allow a specified user to access or use a specific action. A role is a logical grouping of permissions that allows common permissions to be simply grouped and bound to users associated with a given tenant.

Services Directory (Service Catalog)

Keystone provides a list of rest API endpoints for OpenStack installations and takes this as a decision reference. The main concepts include:

Services (Service)

A OpenStack service, such as Nova, Swift, glance, or Keystone. A service can have one or more endpoints through which the user can interact with a OpenStack service or resource.

Endpoint (Endpoint)

An address (typically a URL) that can be accessed over the network, representing the API interface of the OpenStack service. Endpoints can also be grouped as templates, and each template represents a set of available OpenStack services that are available across zones (regions).

Template (Template)

An endpoint collection that represents a set of available OpenStack service endpoints.

Components of Keystone

Keystone contains a command-line interface that can interact with the Keystone API to manage Keystone and related services.

Keystone-run Keystone-admin and Keystone-service
Keystone-admin-Management API for Operations Keystone
Keystone-service-user-oriented AP for authentication
Keystone-manage-command line interface for managing Keystone
Keystone also includes WSGI middleware to provide authentication services for Nova and Swift.
Keystone uses a built-in SQLite database-to authenticate users, it is possible to use an external LDAP service in place of storage certificates in the future

Middleware (middleware)

Keystone Middleware is located in front of the OpenStack service, processing incoming request validation. The design of the middleware follows the following specifications.

The source code of the middleware is located in Keystone/middleware.

Middleware supports two interfaces: Wsgi and Rest/http.

REST & HTTP APIs

If an unauthenticated call comes in, the middleware responds to a 401 unautorized error. According to the standard per HTTP, it also returns a www-authenticate header to inform the caller of which protocol to support. For Keystone validation, the syntax format for the response is as follows:

Www-authenticate:keystone uri= "URL to Keystone server" The client can then make the necessary calls to the Keystone server , obtain a token, and retry the call with the token.

Tokens are delivered using X-auth-toke headers.

WSGI API (Baotou)

When successfully validated, the middleware is sent the following headers for downlink WSGI applications:

X-identity-status

Provides information about whether the request was validated.

X-tenant

A tenant ID (appearing as a URL in Keystone) is provided. Before keysotne into the id/name mode, it provides the tenant with support for any legacy implementations.

X-tenant-id

The only unchanged tenant ID.

X-tenant-name

Unique but variable tenant name.

X-user

The user name to use for the login.

X-roles

The role assigned to the user.

The above is a small set to introduce the OpenStack identity (Keystone) identity services, architecture and middleware, I hope to help you, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.