OpenStack is an SOA architecture in which individual sub-projects provide related services independently. But virtually every service relies on Keystone services. The Keystone has two main components, a validation and a service catalog.
Several basic concepts.
1. User: Represents a natural person with user name, password, mailbox and other account information.
2. Tenants: Tenants can be understood as a project, team or organization. You must specify a corresponding tenant (tenant) To request the OpenStack service.
3. Role: Represents the user operation permissions for a specific tenant.
You can understand that a tenant is a customer who uses your cloud environment, which can be a project group, a workgroup, a company, and these customers will have different accounts (users) and their corresponding permissions (roles).
4.Crenditial: Evidence used to prove the identity of the user, plain English is a "token", which is a logical concept. Specific can be password, driver's license, ID card and so on.
5.Authentication: Authentication, that is, a process of identification of the user.
6.Service: Service. As mentioned before, Keystone provides a list of services that the system can provide, such as Nova, Glance, Swift, and so on.
7.Token: Token. After the user authentication is complete, Keystone will issue a token to the user, so that when the user requests other services, they only need to light their own tokens, instead of sending their own keys. Of course, in case of counterfeit tokens, tokens are time-bound.
8.Endpoint: An endpoint, in fact, refers to the address of the access service (typically, a URL). If subdivided, it can be further divided into the address of external service delivery, management address and so on.
The key two points:
1) User obtains the token and the list of services from Keystone;
2) When user accesses the service, it illuminates its own token. Related services to Keystone to verify the legitimacy of the token.
Keystone Certification Process