OpenStack Keystone Overall architecture and functionality

About Keystone module, I will from the overall architecture and functions, user information management, certification services 3 modules with 3 articles for analysis.

1. Basic functions of Keystone

As an identity service for OpenStack, Keystone provides user information management and the completion of each module certification service.

User Information Management: user/tenant basic information, tenant management

Authentication Service: Login authentication, permission control of each component API

Architecture of the 2.keystone

Since Keystone provides authentication services for each module, each module interacts with the Keystone. Where the login authentication is reflected in the user access to the various components of the API, called the WSGI framework of the Authtoken filter, the filter most call keystoneclient, finally through Keystone Authentication token, complete the user's login authentication. If authentication fails, the user will not be able to access the API.

For Nova, for example, Authtoken filter in the/etc/paste.ini directory (if you are unfamiliar with the WSGI framework, ignore it)

650) this.width=650; "src=" http://img.blog.csdn.net/20140304234643796 "style=" border:none; "/>

650) this.width=650; "src=" http://img.blog.csdn.net/20140304234933796 "style=" border:none; "/>

The location of Keystone in OpenStack is as follows:

650) this.width=650; "src=" http://img.blog.csdn.net/20140304232125453 "style=" border:none; "/>

3. Introduction to the basic concept of Keystone

1). User

User can easily be understood as users, who carry tokens (tokens) to access OpenStack services and resources.

2). Tenant

Tenant is a tenant, an earlier version, also known as Project, which is a collection of resources that can be accessed in each service. For example, when you create a virtual machine from Nova, you specify it to a tenant, and the volume created in cinder is also assigned to a tenant. Before a user accesses a tenant's resources, it must be associated with the tenant and specify the user's role under that tenant.

3). Role

Role is a character that can be understood as a VIP level, and the higher the user's role, the more services and resources that can be accessed in OpenStack.

4). Service

Service is services, such as Nova, Glance, Swift, Heat, ceilometer, and so on. NOVA provides cloud computing services, glance provides image management services, Swift provides object storage services, Heat provides resource orchestration Services, Ceilometer provides alarm billing services, and Cinder provides block storage services.

5). Endpoint

The service seems too abstract and general. Endpoint the service. Endpoint translated as "endpoint", we can understand that it is a service exposed to the access point, if you need to access a service, you must know his endpoint, and endpoint is generally a URL, we know the URL of the service, we can access it. The URL for Endpoint has three permissions such as public, private, and admin. The public URL can be accessed globally, the private URL can only be accessed by the LAN, and the admin URL is separated from the regular access.

6). Token

Token is a token, tokens, users through the user name and password to obtain tokens under a tenant, through token, can achieve single sign-on.

7) Credentials

The term can be easily understood as user and password.

There are many concepts in Keystone, the most important of which is User and Tenant. Other concepts are introduced by factors such as security and permissions. Quote Http://www.openstack.org.cn/bbs/forum.php?mod=viewthread&tid=534&extra=page%3D1 The understanding of the article, the popular saying:

If the hotel than as Tenant, the accommodation is the user, and the hotel is Tenant, the hotel can provide a variety of such as accommodation, entertainment, food and other services (service), specifically, the accommodation is a specific service (Endpoint). As far as accommodation is concerned, there are ordinary rooms and presidential suites, if your VIP level (Role) is high, you can enjoy the luxurious presidential suite. Before check-in, we need to take the ID card to open the room (credential), authentication ID card is not counterfeit (Authenticaiton), will give you a room card (Token), and then you take the room card, you can enter the room and enjoy a variety of services.

user
credentials	ID
authentication	certify your ID
token	room card
tenant	Hotel
service	Hotel can provide categories of services, such as food, entertainment
endpoint
Role	VIP level, the higher the VIP, the higher the privilege

4. Keystone's access process

Take the example of creating a virtual machine (server), combined with a brief overview of the access process under Keystone in OpenStack.

1) The user Alice through her own username and password to Keystone request Token,keystone authentication user name and password, return token1

2) Alice sends Keystone through TOKEN1 to inquire about the tenants he owns, Keystone verifies TOKEN1 success, returns all of Alice's tenant

3) Alice selects a tenant and returns TOKEN2 after applying for Token,keystone authentication username, password, tenant, via username and password. (In fact, 1, 2 step is only to query tenant, if already know tenant, can ignore 1, 2 steps)

4) Alice sends a request to create a server via TOKEN2, Keystone verifies that token2 (including whether the token is valid, has permission to create a virtual machine, etc.) succeeds, then transmits the request to Nova and eventually creates the virtual machine

650) this.width=650; "Src=" http://img.blog.csdn.net/20140305225859500?watermark/2/text/ Ahr0cdovl2jsb2cuy3nkbi5uzxqvd3nmzgw=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity/center " Style= "Border:none;"/>

This article from the "technology leading IT Community" blog, reproduced please contact the author!

OpenStack Keystone Overall architecture and functionality