OpenStack (user), tenant (tenant), roles (role) concepts differentiate _ Identity Management Keystone

The author for OpenStack Beginners, this article for their own learning notes, deficiencies are welcome to point out and discuss.

Target Audience: OpenStack Beginners

The article first gives the definition, and then illustrates the relationship between the three

There are three main concepts of user identity Management: User users ' tenant tenants roles roles

1. Define

These three concepts of the OpenStack official website definition (click to open the link)

1.1 Users (user) OpenStack official website defines user as "in OpenStack Identity, entities represent individual API consumers and are owned by a spec ific domain. In OpenStack Compute, a user can is associated with roles, projects, or both "

About users need to understand the following:

1) A user is an API consuming entity with authentication information;

2 A user can belong to more than one tenant/project/organization, role;

1.2 Tenant (tenant)

OpenStack Official website defines tenant as "A Group of users;" Used to isolate access to Compute. An alternative term for a project "

The following are some things to know about tenants:

1 "Pre-Modified" tenant is equivalent to a user group that contains multiple users.

* * Note [Updated on 2016/07/25]: The above sentence is not very accurate, after verification modified as follows.

1 "Modified" tenants can also be understood as one project (project). Before API 3, use tenant, the version after API 3, and use Project more. The current version of OpenStack (Mitaka (April 2016)) uses the word peoject (project) more than the Tenatn (tenant). Tenant is actually a collection of resources that can be accessed in each service. These resource collections are available to multiple users, which is why users are always bound to certain tenant by default.

2 user access to compute management resources through tenants (the computational management resources here can be understood as OpenStack services), that is, must designate a corresponding tenant to apply for OpenStack service.

3 each tenant is independent and cannot view other tenant information under the current tenant.

1.3 Roles (role)

OpenStack Official website defines the role as "a personality that's a user assumes to perform a specific set of operations." A role includes a set of rights and privileges. A user Assuming that role inherits those rights and privileges. "

About roles need to understand the following:

1 The role is a user feature that performs a specific series of operations, and the role prescribes a range of rights and privileges for a user within a tenant.

2 General default has Super Admin rights admin and general administrator rights member.

2. For example

Take the company's financial department to apply for travel expense reimbursement as an example, explain the three relations.

The user represents the employee 1, he holds the relevant information, such as name, work number, e-mail and so on. The project team belongs to different tenants. User 1 can belong to several different project groups at the same time

。 When employee 1 requests a request for a travel subsidy, he/she must specify a project group to which he belongs. The role sets the permissions that the employee has on a project team, such as what expenses can be reimbursed and what cannot be reimbursed.

Reference:

Http://docs.openstack.org/user-guide/common/glossary.html