1. 程式人生 > >【Openstack】Openstack keystone的理解 1

【Openstack】Openstack keystone的理解 1

What is this Keystone anyway?

http://mirantis.blogspot.com/2011/09/what-is-this-keystone-anyway.html

The simplest way to authenticate a user is to ask for credentials (login+password, login+keys, etc.) and check them over some database. But when it comes to lots of separate services as it is in the OpenStack

 world, we have to rethink that. The main problem is an inability to use one user entity to be authorized everywhere. For example, a user expects Nova to get one's credentials and create or fetch some images in or set up networks in Quantum. This cannot be done without a central authentication and authorization system.

So now we have one more OpenStack project - Keystone. It is intended to incorporate all common information about users and their capabilities across other services, along with a list of these services themselves. We have spent some time explaining to our friends what, why, and how it is and now we decided to blog about it. What follows is an explanation of every entity that drives Keystone’s life. Of course, this explanation can become outdated in no time since the Keystone project is very young and it has developed very fast.

The first basis is the user. Users are users; they represent someone or something that can gain access through Keystone. Users come with credentials that can be checked like passwords or API keys.

The second one is tenant. It represents what is called the project in Nova, meaning something that aggregates the number of resources in each service. For example, a tenant can have some machines in Nova, a number of images in Swift/Glance, and couple of networks in Quantum. Users are always bound to some tenant by default.

The third and last authorization-related kinds of objects are roles. They represent a group of users that is assumed to have some access to resources, e.g. some VMs in Nova and a number of images in Glance. Users can be added to any role either globally or in a tenant. In the first case, the user gains access implied by the role to the resources in all tenants; in the second case, one's access is limited to resources of the corresponding tenant. For example, the user can be an operator of all tenants and an admin of his own playground.

Now let’s talk about service discovery capabilities. With the first three primitives, any service (Nova, Glance, Swift) can check whether or not the user has access to resources. But to try to access some service in the tenant, the user has to know that the service exists and to find a way to access it. So the basic objects here are services. They are actually just some distinguished names. The roles we've talked about recently can be not only general but also bound to a service. For example, when Swift requires administrator access to create some object, it should not require the user to have administrator access to Nova too. To achieve that, we should create two separate Admin roles - one bound to Swift and another bound to Nova. After that admin access to Swift can be given to user with no impact on Nova and vice versa.

To access a service, we have to know its endpoint. So there are endpoint templates in Keystone that provide information about all existing endpoints of all existing services. One endpoint template provides a list of URLs to access an instance of service. These URLs are public, private and admin ones. The public one is intended to be accessible from the global world (like http://compute.example.com), the private one can be used to access from a local network (like http://compute.example.local), and the admin one is used in case admin access to service is separated from the common access (like it is in Keystone).

Now we have the global list of services that exist in our farm and we can bind tenants to them. Every tenant can have its own list of service instances and this binding entity is named the endpoint, which “plugs” the tenant to one service instance. It makes it possible, for example, to have two tenants that share a common image store but use distinct compute servers.

This is a long list of entities that are involved in the process but how does it actually work?

To access some service, users provide their credentials to Keystone and receive a token. The token is just a string that is connected to the user and tenant internally by Keystone. This token travels between services with every user request or requests generated by a service to another service to process the user's request.The users find a URL of a service that they need. If the user, for example, wants to spawn a new VM instance in Nova, one can find an URL to Nova in the list of endpoints provided by Keystone and send an appropriate request.After that, Nova verifies the validity of the token in Keystone and should create an instance from some image by the provided image ID and plug it into some network. At first Nova passes this token to Glance to get the image stored somewhere in there. After that, it asks Quantum to plug this new instance into a network; Quantum verifies whether the user has access to the network in its own database and to the interface of VM by requesting info in Nova. All the way this token travels between services so that they can ask Keystone or each other for additional information or some actions.Here is a rough diagram of this process:




相關推薦

OpenstackOpenstack keystone理解 1

What is this Keystone anyway? http://mirantis.blogspot.com/2011/09/what-is-this-keystone-anyway.html The simplest way to authenticate

OpenStackOpenStack keystone理解 2

 keystone 裡面的概念很多,有:User,Credentials,Authentication,Token,Tenant,Service,Endpoint,Role。在這麼多概念中,其實最主要的就是 User 和 Tenant 。由於一些安全,服務問題,才引發了其它

LinuxServicesIaaSOpenStack-Pike(3.搭建高可用消息隊列)

mission 服務 guide lan nsis edit 錯誤 all scp 1. 簡介 1.1. 官方網站: https://www.rabbitmq.com/ 2. 安裝與配置: 詳見:https://docs.openstack.org/ha-guide/sha

Java「深入理解Java虛擬機器」學習筆記(1) - Java語言發展趨勢

這本書寫的比較早,現在這些功能都已經不同程度的實現了。 1、模組化     JDK9之前的版本都是一個整體,使用者可能只需要使用一個小功能,但他不得不下載整個JDK。不能滿足定製化需求,顯然Java語言的發展因此大大受限。   所以,Sun公司在OpenJDK建立了一個Jigsaw(拼圖)的專案來推動模

ShaderLab學習AlphaTest & AlphaBlend理解[1]

AlphaTest & AlphaBlend 前言 透明度測試:它採用一種“霸道極端”的機制,只要一個片元的透明度不滿足條件(通常是小於某個閾值),那麼它對應的片元就會被捨棄。被捨棄的片元將不會再進行任何處理,也不會對顏色緩衝產生任何影響;否則,就會

專欄 - openstack kilo 多節點安裝

openstack kilo 多節點安裝 最近在進行openstack的kilo版本的安裝,整個安裝在 Oracle VM + centos7.1環境下,發現現有的網路教程非常少,而且多數教程並不能安裝成功,故寫此教程。opens

分類 - openstack

專欄達人 授予成功建立個人部落格專欄

OpenStackOpenStack筆記

宣告: 本部落格歡迎轉發,但請保留原作者資訊! 新浪微博:@孔令賢HW; 內容系本人學習、研究和總結,如有雷同,實屬榮幸! 1. 通用 binary = os.path.basename(inspect.stack()[-1][1]) 這是因為python可以檢視堆疊

openstackopenstack中的訊息佇列

openstack中的訊息佇列更新記錄:2013.4.28  增加版本號 版本:Essex版 1      openstack中訊息佇列的使用 nova中的每個元件都會連線訊息伺服器,一個元件可能是一個訊息傳送者(如API、Scheduler),也可能是一個訊息接收者(

OpenStackOpenStack原理(一)——OpenStack發展及架構

OpenStack發展過程2010年7月,RackSpace和美國國家航空航天局合作合作,分別貢獻出RackSpace雲檔案平臺程式碼和NASA Nebula平臺程式碼,OpenStack由此誕生(Austin版)。2011年2月,OpenStack社群釋出了Bexar版,

專欄 - OpenStack技術專刊

OpenStack技術專刊 OpenStack是一個旨在為公共及私有云的建設與管理提供軟體的開源專案。專欄的目的就是跟大家一起學習OpenStack相關的各類知識,不論遇到什麼問題,都可以與我們聯絡,互相幫助,互相學習!路漫漫其修

openstackopenstack安裝單機+叢集

寄言:網上流傳的openstack安裝方法有很多,但是沒有一個簡單快速搭建openstack環境的文件,胖子找了許久,終於找到使用RDO方式安裝,是最簡單的。 搭建環境: censos7 關閉防火牆 關閉selinux 1.單機搭建: 1

ES學習8-聚合1

target style nsa 搜索 名稱 制造商 tab sea bsp 參考資料: https://elasticsearch.cn/book/elasticsearch_definitive_guide_2.x/_combining_the_two.html 特

翻譯 View Frustum Culling --1 View Frustum’s Shape

near com 矩形區域 狀態 翻譯 cnblogs 位置 移動 距離 這是一些列來自lighthouse3d的視錐體裁剪教程。旨在學習總結,及便於查閱。 1、視錐體的形狀 在OpenGL中,透視投影是由兩個函數定義的gluPerspective和gluLookAt

前端前端筆試題 [1]

func 循環引用 object meid 內核 hresult 分別是 存在 all 1. 請用div+css寫出文字水平垂直居中,圖片水平垂直居中的樣式及布局。2. 請用div+css寫出左側固定(width:200px),右側自適應的頁面布

LuoguP3930 SAC E#1 - 一道大水題 Knight

經營 scan closed char node pty pri b- 種類 【題目】洛谷10月月賽R1 提高組 【題意】給定n*n棋盤和<=16個棋子,給幾個棋子種類和攻擊範圍,現我方只有一馬,求能否吃王。 【算法】狀壓+BFS 【題解】16種棋子中,馬不能吃馬,直

Luogu P3928 SAC E#1 - 一道簡單題 Sequence2

lap sed fin bit amp lowbit pac first main 【題目】洛谷10月月賽R1 提高組 【算法】遞推DP+樹狀數組 【題解】列出DP遞推方程,然後用樹狀數組維護前後綴和。 #include<cstdio> #include&l

bzoj1814Ural 1519 Formula 1 插頭dp

ant sam 表示 led ins char family 狀態 規劃 題目描述 一個 m * n 的棋盤,有的格子存在障礙,求經過所有非障礙格子的哈密頓回路個數。 輸入 The first line contains the integer numbers N a

RMAN-06094: datafile 1 must be restored ID 1339439.1

很好 oca 打印錯誤 報錯 dot com 有效 lis 如果 【轉自】:https://blog.csdn.net/u010692693/article/details/78537018 一次Data Guard斷檔,主端歸檔日誌被刪除,通過基於SCN在主端做增

PATB1005 繼續(3n+1)猜想(25 分)

tdi can scanf code ret return amp emp ++ #include<stdio.h> #include<algorithm> using namespace std; int Table[1000]={0}; bool