Shulou(Shulou.com)06/03 Report--

I. the concept of Keystone

Keystone is the core project established by Identity Service (Certification Service), one of the components of OpenStack. On the whole, this project is not complex compared with other projects, it is similar to a service bus, and it can also be understood as the registry of the entire OpenStack service framework. Other projects in OpenStack can register their services and then get the Endpoint (access port of the service, or understood as entry) through Keystone. This Endpiont can be one or more. In addition, any calls between services also need to be authenticated by Keystone in order to get the Endpoint of the target service to access the corresponding service.

Of course, since it is an authentication service, there is a certain authentication mechanism, so think about what examples of similar authentication can be thought of in life?

In fact, there are many such examples, the key of every household is a kind of authentication mechanism, for example, Alipay account password login is also a typical example of authentication mechanism, and for example, all kinds of tickets can be regarded as a kind of authentication mechanism.

In a word, Keystone project is to provide service support to other services or other services through corresponding authentication and authorization forms, and its main function is to manage users and services. So if we want to understand how to manage users and services, we need to be familiar with the composition of the main modules of Keystone.

II. The main components of Keystone

This section will introduce the concepts and functions of Keystone in the management of users and services. The terms involved in the introduction will be described in detail below, which can be checked and understood by yourself.

2.1 User

Indicates that the user who uses the service can be a person, a service, or a system, and any object that uses an openstack service can be called a user. When User accesses OpenStack, Keystone verifies its identity. Verified users can log in to OpenStack cloud platform and access resources through their issued Token (explained below). Users can be assigned to one or more tenant or project (described below).

2.2 Tenant

Represents the tenant who uses access to group resources, or to isolate the resources provided from each other, as a container, also known as Project.

There can be many users in a tenant, and users can belong to multiple tenants, but they must belong to at least one tenant. The limit of available resources in a tenant is called Tenant Quotas. Think of the disk quota managed by the disk of the Linux system. This Quotas means quota and quota. The user can use the resources in the tenant according to the division of permissions.

2.3 Token

Represents the token that provides authentication and is the string text assigned by Keystone to access the OpenStack API and resource services. The user's token can be revoke at any time, that is, the user's Token is time-bound, and in OpenStack the Token is bound to a specific Tenant (tenant), that is, if the user belongs to multiple tenants, then he or she has multiple time-bound tokens.

2.4 Credential

Represents the user's credentials, and the data used to prove the user's identity can be the user name and password, the user name and API Key, or the Token assigned by Keystone authentication.

2.5 Authentication

Represents authentication, which is the process of verifying the identity of a user. Combine the above to briefly illustrate the process.

First, the user requests for access, and the Keystone service determines the user's identity by checking the user's Credential; then, when authenticating the user for the first time, the user uses the user name and password or the user name and API Key as the Credential;. Secondly, after the user's Credential is verified, Keystone will assign an Authentication Token to the user (the user must belong to at least one tenant) to use it later.

2.6 Service

Presentation services are provided by OpenStack, such as Nova, Swift, Glance, and so on. Each service provides one or more Endpoint (the entry of the service) to access and operate resources for users in different roles.

2.7 Endpoint

Represents the entry of the service, which is a network address requested by the Service listening service. To access a service, the client needs the Endpoint (usually a URL address that can be accessed) through the service. In the OpenStack service architecture, the mutual access between services also requires the Endpoint of the service to access the corresponding target service.

2.8 Role

Represents a role, similar to an access control list-a collection of ACL. It is mainly used to assign permissions to the operation. The role can be assigned to the user so that the user gets the operation rights corresponding to the role. In fact, in the authentication mechanism of Keystone, the Token assigned to users contains a list of users' roles.

In other words, the role of Role can be understood as: when a service is accessed by a user, the service parses the permissions of the roles in the user's role list (such as the permissions that can be performed and the permissions to access which resources).

2.9 Policy

Represents a policy that controls whether a Tenant in a User has permission for an operation. That is, through the Policy mechanism, according to the configuration file (default is the policy.json file in the / etc/keystone/ directory), you can decide what actions User can and cannot do.

The format of the file is as follows (just get a general idea):

1 {2 "admin_required": "role:admin or is_admin:1", 34 "identity:get_project": "rule:admin_required", 35 "identity:list_projects": "rule:admin_required", .45 "identity:delete_user": "rule:admin_required", 46 "identity:change_password": "rule:admin_or_owner", 47} III. Architecture understanding of Keystone

When the last article introduced the architecture of OpenStack, I gave the following architecture diagram. I don't know if I have any impression or have seen it in other articles before:

Through this diagram, we can intuitively understand that Identity Service's Keystone service is a project that provides unified and overall authentication, which not only establishes the relationship between itself and users, but also serves as a link for other services to access resources and other operations.

The internal structure diagram of Keystone is as follows:

The structure is very simple, the above is the API of Keystone services and management, and the following is the corresponding collection of back-end services, such as tokens, catalogs, policies, and identities. At this point, it is important to add that Keystone can integrate commonly used directory services, such as LDAP (lightweight Directory access Protocol).

Fourth, the working principle of Keystone

Through the above, I must have my own understanding of the main functions, components and structural models of the concept of Keystone. So let's take a look at how Keystone works, or how it responds.

The following is through a user to create an instance in the process of Keystone authentication process, combined with the diagram to introduce the response process of the entire Keystone service. In reading the whole process at the same time understand the role of the above 9 components, think about their own to deepen understanding.

The following describes the response process between Keystone and other services by taking the virtual machine that creates the instance as an example:

Establish at one time:

1. The user first sends identity information such as the user's password (user name and password or user name and API key) to Keystone, and then allocates Token to the user after successful Keystone verification.

Three requests, three confirmations:

2. After that, the user sends an instance creation request with Token to Nova. After receiving the request, Nova verifies the validity of Token to Keystone to determine whether the Token is valid.

3. After the above Token is proved to be valid, the Nova sends an image transfer request with Token to the Glance service, and the Glance also goes to Keystone to verify the validity of the Token.

4. After the above Token is proved to be effective, Glance officially provides image directory query and delivery services to Nova. After obtaining the image, Nova continues to send the network creation service with Token to Neutron, and then Neutron verifies the effectiveness of Token from Keystone.

5. After Token is proved to be valid, Neutron allows Nova to use network services.

One end result:

6. Nova successfully starts the virtual machine and returns a notification to the user that the instance is created successfully.

Fifth, the theoretical summary of Keystone

The purpose of this article is to introduce the function and working principle of Keystone, focusing on the authentication service provided by Keystone, which contains nine main parts, the relationship between Keystone and other components and users in mind, and the most important thing is how Keystone works. You should be very familiar with the workflow of the response.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.