Keystone of OpenStack Components

What's a Keystone?

Keystone is the project name for the OpenStack Identity Service. It acts as an authorized player throughout the system.

Two Keystone Concept explanation

User: Users who make OpenStack service can be people, services, systems, and any object that uses OpenStack service can be called user.

Project (Tenant): A collection of resources that can be understood as a person or a service. In a project (Tenant), you can include more than one user, and each user will use the resources in Project (Tenant) according to the partitioning of the permissions. For example, when you create a virtual machine from Nova, you specify it to a project, and the cinder creates the volume in a project. Before user accesses project's resources, you must associate with the project and specify the role of user under project, resources are isolated between different project, and resources can set quotas.

Role: Used to divide permissions. You can assign a role to user to give the user access to the action corresponding to role. The token returned to user Keystone contains the role list, and the services being accessed will determine the role that is contained in the user and user-supplied tokens that access it. The system uses the Admin role admin and member role _member_ by default.

Policy: OpenStack verifies user's authentication in addition to OpenStack authentication, it also needs to identify whether user has access to a service. The policy mechanism is used to control user permissions on resources (including services) in tenant. For Keystone Service, policy is a JSON file, by default /etc/keystone/policy.json . By configuring this file, the Keystone service implements user role-based rights management.

token: is a string representation of the token that is used to access the resource. Tokens contain resources that can be accessed within a specified range and in a valid time. EG. In Nova, a tenant can be a virtual machine, in swift and glance a tenant can be some image storage, and a tenant in the network can be some networking resources. Tokens are generally held by user.

Credentials: A credential used to confirm a user's identity, which can be a user name and password, a username and API key, or a Keystone assigned identity token.

Authentication: The process of verifying a user's identity. The Keystone service determines the user's identity by checking the user's credential. First, use username/password or user name/api key as credential. When the user's credential is validated, Kestone assigns a authentication token to the user for subsequent requests.

Service: The OpenStack service, which is the component Services running in OpenStack.

Endpoint: An address that can access and locate an OpenStack service over the network, usually a URL. For example, when Nova needs to access the glance service to get the image, Nova accesses Keystone to get the glance endpoint and then accesses the endpoint to get the glance service. We can define multiple region by endpoint's Region attribute. Endpoint the use of objects is divided into three categories:

• Admin url–> for Admin user, port:35357

• Internal url–> OpenStack Internal services use to communicate with other services, port:5000

• Public url–> addresses that other users can access, port:5000

Create the API EndPoint after the service is created. In OpenStack, each service has three kinds of end points. Admin, public, internal. Admin is used for administrative purposes, such as it can modify User/tenant (project). Public is for customers to call, such as the ability to deploy the Internet so that customers can manage their own cloud. Internal is called internally by OpenStack. The three types of endpoints that are open on the network are generally different. Admin is usually only open to intranet, public can usually open to external network internal usually only open to machines with OpenStack on service.

V3 New

• Tenant Renaming to Project

• Added the concept of Domain

• Added the concept of Group

Function of three Keystone

(1) User authentication:

Four Keystone Code structure

Keystone of OpenStack Components