Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about the role of keystone components in Openstack, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

User

User is a user who represents a person or program that can be accessed through keystone. Users is verified by authentication information (credentials, such as password, API Keys, etc.).

Tenant

A Tenant is a tenant, which is a collection of accessible resources in each service. For example, in Nova, a tenant can be some machines, in Swift and Glance, a tenant can be some mirror storage, and in Quantum, a tenant can be some network resources. Users always binds to some tenant by default.

Role

Role is a role, and Roles represents a set of resource permissions that users can access, such as virtual machines in Nova and mirrors in Glance. Users can be added to any global or intra-tenant role. In the global role, the role permission of the user acts on all tenants, that is, the permissions specified by role can be executed on all tenants; in the role within the tenant, the user can only execute the permissions specified by role within the current tenant.

Service

Service as a service, such as Nova, Glance, Swift. Based on the first three concepts (User,Tenant and Role), a service can confirm whether the current user has access to their resources. But when a user tries to access a service within its tenant, he must know whether the service exists and how to access the service, where different names are usually used to represent different services. The Role mentioned above can actually be bound to a service. For example, when swift requires an administrator access for object creation, we do not necessarily need administrator access to the nova for the same role. To achieve this goal, we should create two separate administrator role, one bound to swift and the other to nova, so that administrator access to swift does not affect Nova or other services.

Endpoint

Endpoint, translated as "endpoint", we can understand that it is an access point exposed by a service, if you need to access a service, you must know its endpoint. Therefore, include an endpoint template in keystone (endpoint template, which we can see in the conf folder when we install keystone), which provides all the existing service endpoints information. An endpoint template contains a list of URLs, each URL in the list corresponds to the access address of a service instance, and has public, private, and admin permissions.

Public url can be accessed globally (such as http://compute.example.com), port 5000

Private url can only be accessed by local area network (such as http://compute.example.local), port 5000

Admin url is separated from regular access port: 35357

Credentials

The credential used to confirm the identity of the user. To put it bluntly, it is a "token", which can be:

(1): user name and password

(2): user name and API Kye (secret key) # (1) (2) method for confirming the identity of the user for the first time

(3): a token # (3) method after the user has confirmed the identity assigned by keystone (token is time-limited)

Auhentication

(1): the process of user authentication. The keystone service determines the identity of the user by checking the user's Credentials

(2): the first authentication is in the form of a user name and password or a user name and API Key. When the user's Credentials is verified, keystone assigns an Authentication token to the user for subsequent request operations (the returned token contains the Role list of User)

Token

(1): it is a string of numbers that users need to use when accessing resources. In keystone, token mechanism is mainly introduced to protect users' access to resources. At the same time, one of the random encryption of PKI, PKIZ, fernet and UUID is introduced to generate a string of numbers to protect tokens.

(2): token is not long-term effective, it is timely, and resources can be accessed within a valid period of time.

Policy

(1): for keystone service, Policy is a JSON file, and rpm installation defaults to / etc/keyston/policy.json. By configuring this file, keystone implements Role-based rights management for User (User

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.