3981735acd
Edit wording; changed term/description lists to variable lists as per writing conventions backport: none Partial-Bug: #1251195 Change-Id: I3b7f3fedafa79ab64f75260fcd3c5daa7cbb5e34
129 lines
5.7 KiB
XML
129 lines
5.7 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="keystone-concepts">
|
|
<?dbhtml stop-chunking?>
|
|
<title>OpenStack Identity concepts</title>
|
|
<para>The OpenStack<glossterm>Identity Service</glossterm> performs the
|
|
following functions:</para>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>Tracking users and their permissions.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Providing a catalog of available services with their API
|
|
endpoints.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>To understand OpenStack Identity, you must understand the
|
|
following concepts:</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>User</term>
|
|
<listitem>
|
|
<para>Digital representation of a person, system, or
|
|
service who uses OpenStack cloud services. The
|
|
Identity service validates that incoming requests
|
|
are made by the user who claims to be making the
|
|
call. Users have a login and may be assigned
|
|
tokens to access resources. Users can be directly
|
|
assigned to a particular tenant and behave as if
|
|
they are contained in that tenant.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Credentials</term>
|
|
<listitem>
|
|
<para>Data that confirms the user's identity. For example, user
|
|
name and password; user name and API key; or an
|
|
authentication token provided by the Identity
|
|
Service.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Authentication</term>
|
|
<listitem>
|
|
<para>The process of confirming the identity of a user.
|
|
OpenStack Identity confirms an incoming request
|
|
by validating a set of credentials supplied by the
|
|
user.</para>
|
|
<para>These credentials are initially a user name and
|
|
password; or a user name and API key. When user
|
|
credentials are validated, OpenStack Identity issues an
|
|
authentication token which the user provides in subsequent
|
|
requests.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Token</term>
|
|
<listitem>
|
|
<para>An arbitrary bit of text that is used to access
|
|
resources. Each token has information which defines
|
|
access to resources. A token may be revoked at any time
|
|
and is valid for a finite duration.</para>
|
|
<para>While OpenStack Identity supports token-based
|
|
authentication in this release, the intention is
|
|
to support additional protocols in the future. Its main
|
|
purpose is to be an integration service, and not aspire to
|
|
be a full-fledged identity store and management
|
|
solution.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Tenant</term>
|
|
<listitem>
|
|
<para>A container used to group or isolate resources
|
|
and/or identity objects. Depending on the service
|
|
operator, a tenant may map to a customer, account,
|
|
organization, or project.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Service</term>
|
|
<listitem>
|
|
<para>An OpenStack service, such as Compute (nova),
|
|
Object Storage (swift), or Image Service (glance). It
|
|
provides one or more endpoints through which users can
|
|
access resources and perform operations.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Endpoint</term>
|
|
<listitem>
|
|
<para>A network-accessible address where you access a service,
|
|
usually a URL address. If you are using an extension for
|
|
templates, an endpoint template can be created, which
|
|
represents the templates of all the consumable services
|
|
that are available across the regions.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Role</term>
|
|
<listitem>
|
|
<para>A personality with a defined set of user rights and
|
|
privileges to perform a specific set of operations.</para>
|
|
<para>In the Identity service, a token that is issued
|
|
to a user includes the list of roles. Services that are
|
|
being called by that user determine how they interpret the
|
|
set of roles a user has and to which operations or
|
|
resources each role grants access.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<para>The following diagram shows the OpenStack Identity process
|
|
flow:</para>
|
|
<mediaobject>
|
|
<imageobject role="fo">
|
|
<imagedata
|
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
|
format="PNG" scale="40"/>
|
|
</imageobject>
|
|
<imageobject role="html">
|
|
<imagedata
|
|
fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
|
|
format="PNG" scale="10"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</section>
|