Shulou(Shulou.com)05/31 Report--

This article mainly introduces "what is the workflow and service relationship of openstack cloud computing keystone components". In daily operations, I believe many people have doubts about the workflow and service relationship of openstack cloud computing keystone components. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "what is the workflow and service relationship of openstack cloud computing keystone components". Next, please follow the editor to study!

What is keystone?

Keystone is the identity service of OpenStack, which can be understood as a 'permission-related' component for the time being.

Second, why should there be keystone?

The main purpose of the Keystone project is to provide a unified verification method for accessing the various components (nova,cinder,glance...) of openstack, specifically:

Openstack is a system composed of many components, and its function is to provide services, so we can define it as a 'huge software'. Without software, security factors are not taken into account. The difference between Keystone for the usual application scenarios is that it wants to solve the unified authentication in the distributed environment.

The function of three keystone

Openstack is a SOA architecture, in theory, each sub-project provides related services independently, independent of each other, and is distributed. For example, nova provides computing services, glance provides mirroring services, etc.

Virtually all components rely on keystone (single point of view), which integrates three functions:

(1) manage authentication (managing authentication): verify the identity of the user

(2) authorization: privilege management based on role role

(3) Service catalog (catalog of services): mention service catalog (ServiceCatalog: including service and endpoint) services, similar to the concept of UDDI services, users (whether Dashboard, APIClient) need to access Keystone to obtain a list of services, and the address of each service (called Endpoint in Openstack)

4. Detailed explanation of the concept of keystone part 1

User: clients that use Openstack components can be people, services, and systems. Any client that accesses openstack components needs a user name.

Credentials: a credential used to confirm the identity of a user. To put it bluntly, it is a "token". Specifically, it can be:

User name and password

User name and API key

An identity token assigned by Keystone

Authentication:

Is the process of verifying the identity of a user. The Keystone service determines the identity of the user by checking the user's Credential.

Initially, use the user name / password or user name / API key as the credential. When the user's credential is verified, Kestone assigns an authentication token to the user for subsequent requests.

Access control based on user role (Role) is achieved through Policy (access rules) in Keystone.

Token:

Is a numeric string that needs to "show" your token when accessing resources. In keystone, token mechanism is introduced to protect users' access to resources, and PKI (Public key Base implementation) is introduced to protect tokens.

Token contains resources that can be accessed within a specified scope and valid time. EG. In Nova, a tenant can be some virtual machines, in Swift and Glance, a tenant can be some mirror storage, in Network, a tenant can be some network resources.

Role:

Is essentially a collection of ACL, used to divide permissions

You can assign Role to User so that User can get the operation permission corresponding to Role.

The Token returned by Keystone to User contains a list of Role, and the visited Services determines the Role contained in the User that accesses it and the Token provided by User, and the permissions of each role to access resources or operate.

The system defaults to the management Role admin and member Role user (in the past, the normal user role was: _ member_).

User must be validated with Project (Tenant)

Policy:

For Keystone service, Policy is a JSON file, and the default is / etc/keystone/policy.json. By configuring this file, Keystone implements Role-based rights management for User.

In addition to OpenStack authentication, OpenStack authentication to User also needs to verify whether User has access to a Service. The Policy mechanism is used to control the operation permissions of User on resources in Project (Tenant).

Project (Tenant):

Is a collection of resources owned by a person or service. Resources are isolated between different Project, and resources can be set quotas.

There can be multiple User in a Project (Tenant), and each User uses the resources in the Project (Tenant) according to the division of permissions. For example, when you create a virtual machine through Nova, you need to assign it to a Project, and when you create a volume in Cinder, you need to specify a Project.

Before User can access the resources of a Project, it must be associated with the Project and specify the Role of the User under the Project. An assignment is: Project-User-Role.

Service: that is, the individual component services running in Openstack.

Endpoint:

Is an address that can access and locate an Openstack service over the network, usually a URL

Different region have different endpoint (we can define multiple region through the region property of endpoint).

When Nova needs to access the Glance service to get the image, Nova gets the endpoint of the Glance by accessing the Keystone, and then gets the Glance service by accessing the endpoint.

Endpoint is divided into three categories:

Admin url-> for admin users, Port:35357

Internal url-> OpenStack internal services are used to communicate with other services, Port:5000

Public url-> address that Internet users can access, Port:5000

Catalog:

Users and services can use catalog managed by keystone to locate other services, catalog is a collection of related services deployed by openstack, each service has one or more endpoint (that is, accessible url addresses), that is, catalog=services+endpoint. Each endpoint can be divided into three types:

Admin,internal,public, in a production environment, different endpoint types are located on different networks for different users (to improve security), such as:

Public API: visible to the entire Internet, so customers can easily manage their own cloud.

Admin API: this API should be strictly restricted to operators within the organization that manages the cloud infrastructure

Internel API: should be restricted to hosts with OpenStack services installed to use this API

Introduction to the relationship between Service and Endpoint

In openstack, each service has three kinds of endpoint. Admin, public, internal (after you create the service, you need to create an API EndPoint for it. )

Admin is used for administrative purposes, such as the ability to modify user/tenant (project).

Public is for customers to call, for example, can be deployed on the extranet so that customers can manage their own cloud.

Internal is called internally by openstack.

The permissions open to the three kinds of endpoints on the network are generally different. Admin is usually only open to the private network, public is usually open to the public network, and internal is usually only open to machines with openstack services installed.

An example of endpoint

We use keystone to customize the endpoint for the service 5d533c68-d234-11e6-a0d7-0088653ea1ec:

$keystone endpoint-create\-region RegionOne\-- service-id=5d533c68-d234-11e6-a0d7-0088653ea1ec\-- publicurl=' https://public-ip:8776/v1/%(tenant_id)s'\-- internalurl=' https://management-ip:8776/v1/%(tenant_id)s'\-- adminurl=' https://management-ip:8776/v1/%(tenant_id)s'

You can then configure OpenStack service to access another resource using the internalurl of another service's endpoint.

Regions:

Openstack supports multiple extensible regions,OpenStack supports scalable multiple areas. For simplicity, the management network ip address is generally used as the ip for all endpoint types (three api), and all endpoint types (three api) use one area, the regionone zone.

Every openstack service you deploy needs to be bound with endpoint (stored in keystone) to provide a service entry, so the first component we need to deploy is keystone.

New concepts in V3:

Rename Tenant to Project

Added the concept of Domain

Added the concept of Group

Part II

Keystone manages and saves user information, manages user-related tenant,role,group and domain, etc.; user credential storage, verification, token management, the following figure shows the relationship of each part

Part III

User: has account credentials, is associated with one or more projects or domains

Group: a collection of users, is associated with one or more projects or domains

Project: unit of ownership in OpenStack, contains one or more users

Domain: unit of ownership in OpenStack, contains users, groups and projects

Role: a first-class piece of metadata associated with many user-project pairs.

Token: identifying credential associated with a user or user and project

Extras: bucket of key-value metadata associated with a user-project pair.

Rule: describes a set of requirements for performing an action.

Note: the relationship of user2,user3,user4, like user1, can also belong to one or more group. Here, their connections are omitted for the sake of simplicity.

5 components contained in keystone

Keystone consists of three types of components:

1 Server

Centralized server that provides authentication and authorization services using the RESTful interface (three kinds of api)

2 Drivers

Refers to drivers or service backends integrated into server that are used to access identity information in libraries other than openstack components (implication: mysql does not belong to openstack components / services) and may already exist in openstack deployed architectures (for example, SQL databases or LDAP servers).

3 Modules

Middleware runs in the address space of openstack components that are using authentication services. These modules (middleware) intercept service requests, extract users' credentials, and send them to server to authenticate authorization. The direct integration of openstack middleware and openstack components uses Python Web Server Gateway Interface, that is, wsgi.

6. The relationship between keystone and other openstack services

7 keystone work flow in collaboration with other components

Keystone is the first service for a user to interact with the cloud platform. Once the authentication is passed, the user will use his or her identity to access other opnestack services. Similarly, the visited openstack service will reconfirm the user with keystone (not only one-sided words of the user), and other services (catalog reasons) can be found through keystone. Keystone can also integrate other user management systems, such as LDAP.

8 detailed explanation of keystone work flow

(1) User obtains tokens and service lists from Keystone

(2) when User accesses the service, show its own token.

(3) the related service verifies the validity of the token from Keystone.

User alice logs in to the keystone system (password or token) to obtain a temporary token and catalog service directory (if scope,project or domain is not specified in v3 login, the temporary token obtained does not have any permissions and cannot query project or catalog).

Alice gets all its own project lists through temporary token.

Alice selects a project, and then specifies project to log in again to get a formal token and get the endpoint of the service list. The user selects an endpoint, carries the token in the HTTP header, and then sends the request (if the user knows project name or project id, you can log in step 3 directly).

After the message arrives at endpoint, the keystone middleware of the server (nova) (filter:authtoken in pipeline) sends a request to keystone to verify the token. (token type: uuid needs to verify in keystone that the token of token,pki type is an encrypted string containing user details, which can be verified on the server)

After keystone verifies that the token is successful, it returns the details of the user corresponding to the token, such as role,username,userid, to the server (nova).

The server (nova) completes the request, for example, creating a virtual machine.

The server returns the result of the request to alice.

At this point, the study on "what is the workflow and service relationship of openstack cloud computing keystone components" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.