The OpenStack Identity (Keystone) service provides authentication and management user, account, and role information services for OpenStack Cloud running OpenStack compute, and for OpenStack Object Storage provides authorization services.
Keystone architecture
Keystone has two main components: Authentication and Service Catalog
Validation: Provides a token-based authentication service with the following concepts:
Tenant (tenant)
An organization that uses OpenStack related services. A tenant maps to a Nova "Project-id" where a tenant can have multiple containers in an object store. Depending on the installation method, a tenant can represent a customer, account number, organization, or project.
Users (user)
Represents an individual, OpenStack the user's form to authorize the service to them. The user owns the certificate (credentials) and may be assigned to one or more tenants. After verification, a specific token is provided for each individual tenant.
Certificate (Credentials)
In order to provide a token to the user, a certificate is required to uniquely identify a Keystone user's password or other information
Token (token)
A token is the text of an arbitrary bit that is used to share information with other OpenStack services, Keystone to provide a location to authenticate the user accessing the OpenStack service. A token can be "scoped" or "unscoped". A scoped token represents a user that has been authenticated for a tenant, while the unscoped token represents only one user. The validity period of the token is limited and can be withdrawn at any time.
Roles (role)
A role is a collection of usage rights that is applied to a tenant to allow a specified user to access or use a specific action. A role is a logical grouping of permissions that allows common permissions to be simply grouped and bound to users associated with a given tenant.
Services Directory (Service Catalog)
Keystone provides a list of rest API endpoints for OpenStack installations and takes this as a decision reference. The main concepts include:
Services (Service)
A OpenStack service, such as Nova, Swift, glance, or Keystone. A service can have one or more endpoints through which the user can interact with a OpenStack service or resource.
Endpoint (Endpoint)
An address (typically a URL) that can be accessed over the network, representing the API interface of the OpenStack service. Endpoints can also be grouped as templates, and each template represents a set of available OpenStack services that are available across zones (regions).
Template (Template)
An endpoint collection that represents a set of available OpenStack service endpoints.
Components of Keystone
Keystone contains a command-line interface that can interact with the Keystone API to manage Keystone and related services.
Keystone-run Keystone-admin and Keystone-service
Keystone-admin-Management API for Operations Keystone
Keystone-service-user-oriented AP for authentication
Keystone-manage-command line interface for managing Keystone
Keystone also includes WSGI middleware to provide authentication services for Nova and Swift.
Keystone uses a built-in SQLite database-to authenticate users, it is possible to use an external LDAP service in place of storage certificates in the future
Middleware (middleware)
Keystone Middleware is located in front of the OpenStack service, processing incoming request validation. The design of the middleware follows the following specifications.
The source code of the middleware is located in Keystone/middleware.
Middleware supports two interfaces: Wsgi and Rest/http.
REST & HTTP APIs
If an unauthenticated call comes in, the middleware responds to a 401 unautorized error. According to the standard per HTTP, it also returns a www-authenticate header to inform the caller of which protocol to support. For Keystone validation, the syntax format for the response is as follows:
Www-authenticate:keystone uri= "URL to Keystone server" The client can then make the necessary calls to the Keystone server , obtain a token, and retry the call with the token.
Tokens are delivered using X-auth-toke headers.
WSGI API (Baotou)
When successfully validated, the middleware is sent the following headers for downlink WSGI applications:
X-identity-status
Provides information about whether the request was validated.
X-tenant
A tenant ID (appearing as a URL in Keystone) is provided. Before keysotne into the id/name mode, it provides the tenant with support for any legacy implementations.
X-tenant-id
The only unchanged tenant ID.
X-tenant-name
Unique but variable tenant name.
X-user
The user name to use for the login.
X-roles
The role assigned to the user.
The above is a small set to introduce the OpenStack identity (Keystone) identity services, architecture and middleware, I hope to help you, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!