The basic concept understanding of "turn" OpenStack Keystone

Keystone Introduction

Keystone (OpenStack Identity service) is a feature in the OpenStack framework that is responsible for authentication, service rules, and service tokens, and it implements the identity API for OpenStack. Keystone similar to a service bus, or the entire OpenStack framework registry, other services through Keystone to register their services endpoint (service access URL), any service between each other calls, requires Keystone authentication, To get the endpoint of the target service to find the target service.

Introduction to the basic concept of Keystone

1. User

User, which represents the person or program that can be accessed through Keystone. Users authenticate with authentication information (credentials, such as password, API keys, etc.).

2. Tenant

Tenant is a tenant, which is a collection of resources that can be accessed in each service. For example, in Nova a tenant can be some machine, in swift and glance a tenant can be some image storage, in quantum a tenant can be some network resources. The users default is always bound to some tenant.

3. Role

Role is the roles, which represents the resource permissions that a group of users can access, such as a virtual machine in Nova, and a mirror in a glance. Users can be added to any global or tenant role. In the global role, the role permissions of the user are applied to all tenants, that is, they can perform role-specific permissions on all tenants, and within the tenant role, the user can only perform role-defined permissions within the current tenant.

4. Service

Service is services, such as Nova, Glance, Swift. Based on the first three concepts (user,tenant and role) a service can confirm whether the current user has permission to access his or her resources. But when a user tries to access a service within his or her tenant, he must know if the service exists and how to access the service, which typically uses a different name to represent different services. The role referred to above can actually be tied to a service. For example, when Swift requires access to an administrator right for object creation, we do not necessarily need to have access to the Nova for administrator privileges for the same role. To achieve this goal, we should create two separate administrator role, one bound to swift and the other to Nova, enabling administrator access to Swift without affecting Nova or other services.

5. Endpoint

Endpoint, translated as "endpoint", we can understand that it is a service exposed to the access point, if you need to access a service, you must know his Endpoint. Therefore, the Keystone contains a endpoint template (endpoint templates, which we can see in the Conf folder when the Keystone is installed), which provides all the existing service endpoints information. A endpoint template contains a list of URLs, each of which corresponds to the access address of a service instance, with three permissions of public, private, and admin. Public URLs can be accessed globally (such as http://compute.example.com), private URLs can only be accessed by local area networks (e.g. http://compute.example.local), admin URLs are separated from the regular access.

=================== quotes Aaron's understanding =====================

There are many concepts in the

Keystone: User,credentials,authentication,token,tenant,service,endpoint,role. In so many concepts, the main thing is User and Tenant. Because of some security and service problems, other concepts have been raised.
What is the User, Tenant? Here I would give a good example of understanding. When we go to the hotel, we are the equivalent of the User, and the hotel is Tenant. This is the simplest case, the hotel value offers rooms, we only need housing.
with the improvement of later life materials, this phenomenon has changed. When we go to the hotel, a lot of things are different, for example, open room to ID card, room key is a can be a card brush brand, we in and out of the hotel need to use their own keys to open the door of the hotel, there is, the hotel is not only used to live, it can provide us with food, entertainment, Fitness and other services, but also different levels of service, rooms are different, the room is not the same level of luxury configuration. In this case, it is more complicated to describe the relationship between us and the hotel, which leads to some new concepts.
With this example, the various concepts in Keystone can be linked to the things in the example.

User	People who live in hotels
Credentials	Open the key to the room
Authentication	Hotel in order to refuse unnecessary people in and out of the hotel, a special set of mechanisms, only the person with the key to access
Token	It's a key, a little special.
Tenant	Hotel
Service	The types of services that the hotel can provide, such as food and beverage, entertainment
Endpoint	A specific kind of service, such as eating barbecue, playing badminton
Role	VIP level, the higher the VIP, the higher the privilege

Keystone Example of the access process in OpenStack

As shown, (this paragraph does not translate, see the picture can also understand, anyway I have not translated well t^t) to the Access some service, users provide their credentials to Keystone and receive a token.The token is just a string, that's connected to the user and tenant internally by Keystone.This token travels between services with every user request or requests generated by a service to another service to Proce SS the user ' s request. The users find a URL of a service that they need.If the user, for example, wants to spawn a new VM instance in Nova, one can find a URL to Nova in the list of endpoints P Rovided by Keystone and send an appropriate request. After that, Nova verifies the validity of the tokens in Keystone and should create a instance from some image by the Provi Ded Image ID and plug it into some network.At first Nova passes this token to Glance to get the image stored somewhere in there.After the, it asks Quantum to plug this new instance into a network; Quantum verifies whether the user have access to the network in their own database and to the interface of VMS by requesting I NFO in Nova.All the "This" token travels between services so, they can ask Keystone or each of the other for additional information or Some actions.

Reference content:

Http://mirantis.blogspot.com/2011/09/what-is-this-keystone-anyway.html

No tags for this post. Unless noted, this site article is original or compiled, reproduced please specify: article from Kengine | Kankanews.com

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

The basic concept understanding of "turn" OpenStack Keystone