Keystone ArchitectureThe Identity service performs these
functions:User management. Tracks users and their
permissions.Service catalog. Provides a catalog of available
services with their API endpoints.To understand the Identity Service, you must understand these concepts:UserDigital representation of a person, system, or service
who uses OpenStack cloud services. Identity authentication
services will validate that incoming request are being
made by the user who claims to be making the call. Users
have a login and may be assigned tokens to access
resources. Users may be directly assigned to a particular
tenant and behave as if they are contained in that
tenant.CredentialsData that is known only by a user that proves who they
are. In the Identity Service, examples are:Username and passwordUsername and API keyAn authentication token provided by the Identity
ServiceAuthenticationThe act of confirming the identity of a user. The
Identity Service confirms an incoming request by
validating a set of credentials supplied by the user.
These credentials are initially a username and password or
a username and API key. In response to these credentials,
the Identity Service issues the user an authentication
token, which the user provides in subsequent
requests.TokenAn arbitrary bit of text that is used to access
resources. Each token has a scope which describes which
resources are accessible with it. A token may be revoked
at anytime and is valid for a finite duration.While the Identity Service supports token-based
authentication in this release, the intention is for it to
support additional protocols in the future. The intent is
for it to be an integration service foremost, and not
aspire to be a full-fledged identity store and management
solution.TenantA container used to group or isolate resources and/or
identity objects. Depending on the service operator, a
tenant may map to a customer, account, organization, or
project.ServiceAn OpenStack service, such as Compute (Nova), Object
Storage (Swift), or Image Service (Glance). Provides one
or more endpoints through which users can access resources
and perform operations.EndpointAn network-accessible address, usually described by
URL, from where you access a service. If using an
extension for templates, you can create an endpoint
template, which represents the templates of all the
consumable services that are available across the
regions.RoleA personality that a user assumes that enables them to
perform a specific set of operations. A role includes a
set of rights and privileges. A user assuming that role
inherits those rights and privileges.In the Identity Service, a token that is issued to a
user includes the list of roles that user can assume.
Services that are being called by that user determine how
they interpret the set of roles a user has and which
operations or resources each role grants access to.User managementThe main components of Identity user management
are:UsersTenantsRolesA user represents a human user, and has associated
information such as username, password and email. This
example creates a user named "alice":$keystone user-create --name=alice --pass=mypassword123 --email=alice@example.comA tenant can be a project, group, or organization.
Whenever you make requests to OpenStack services, you must
specify a tenant. For example, if you query the Compute
service for a list of running instances, you get a list of
all running instances for the specified tenant. This
example creates a tenant named "acme":$keystone tenant-create --name=acmeA role captures what operations a user is permitted to
perform in a given tenant. This example creates a role
named "compute-user":$keystone role-create --name=compute-userThe Identity service associates a user with a tenant
and a role. To continue with our previous examples, we may
wish to assign the "alice" user the "compute-user" role in
the "acme" tenant:$keystone user-list$keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2A user can be assigned different roles in different
tenants. For example, Alice may also have the "admin" role
in the "Cyberdyne" tenant. A user can also be assigned
multiple roles in the same tenant.The
/etc/[SERVICE_CODENAME]/policy.json
file controls what users are allowed to do for a given
service. For example,
/etc/nova/policy.json specifies the
access policy for the Compute service,
/etc/glance/policy.json specifies
the access policy for the Image service, and
/etc/keystone/policy.json specifies
the access policy for the Identity service.The default policy.json files in the Compute,
Identity, and Image service recognize only the admin role:
all operations that do not require the admin role will be
accessible by any user that has any role in a
tenant.If you wish to restrict users from performing
operations in, say, the Compute service, you need to
create a role in the Identity service and then modify
/etc/nova/policy.json so that this
role is required for Compute operations.For example, this line in
/etc/nova/policy.json specifies
that there are no restrictions on which users can create
volumes: if the user has any role in a tenant, they will
be able to create volumes in that tenant.Service
ManagementThe Identity Service provides the following service
management functions:ServicesEndpointsThe Identity Service also maintains a user that
corresponds to each service, such as a user named nova,
for the Compute service) and a special service tenant,
which is called service.The commands for creating services and endpoints are
described in a later section.