keystone之权限认证功能openstack
Keystone is an OpenStack service that provides API client authentication, service discovery, and distributed multi-tenant authorization by implementing OpenStack’s Identity API.
keystone
https://docs.openstack.org/keystone/latest/
OpenStack中的一些概念
http://blog.chinaunix.net/uid-15041-id-4807612.html
openstack的用户(user), 租户(tenant), 角色(role)概念区分
http://blog.csdn.net/abc1235678/article/details/51955050
一、用户(user)
表示拥有用户名,密码,邮箱等帐号信息的自然人。创建一个用户名为“hui”的用户如下:
$ keystone user-create –name=hui –pass=password –mail=hui@example.com
二、租户(tenant)
租户可以理解为一个项目,团队或组织。你必须指定一个相应的租户(tenant)才可以申请OpenStack服务,例如你指定以某租户申请Compute服务来查询当前运行的实例列表,则你将收到的是该租户的运行实例列表,而无法看到其它租户的运行实例列表。
创建一个名为“acm”租户的命令如下:
$ keystone tenant-create –name=acm
三、角色(role)
代表特定的租户中的用户用户操作权限,可以使用如下命令创建角色:
$ keystone role-create –name=compute-user
你可以理解租户为那些使用你云环境的客户,这些客户可以是一个项目组、工作组、公司,这些客户中会建立不同的帐号(用户)及其对应的权限(角色)。
Operator Documentation
This section contains the documentation for deploying and operating the keystone service.
[*] Configuring Keystone
[*] Setting up other OpenStack Services
[*] Identity sources
[*] Service Catalog
[*] Endpoint Filtering
[*] Endpoint Policy
[*] SSL
[*] OAuth1 1.0a
[*] Token Binding
[*] Limiting list return size
[*] Health Check middleware
[*] API protection with Role Based Access Control (RBAC)
[*] Preparing your deployment
[*] Supported clients
[*] Advanced Topics
[*] Federated Identity
[*] Configuring Keystone for Tokenless Authorization
[*] Time-based One-time Password (TOTP)
[*] Keystone Event Notifications
[*] Using external authentication with Keystone
User Documentation
This section contains the documentation for end-users of keystone.
[*] User Documentation
[*] API Examples using Curl
CLI Documentation
This section details information related to keystone-manage.
[*] CLI Documentation
[*] keystone-manage
Administrator Guides
[*] Administrator Guides
[*] Identity concepts
[*] Bootstrapping Identity
[*] Manage projects, users, and roles
[*] Create and manage services and service users
[*] Certificates for PKI
[*] Domain-specific configuration
[*] URL safe naming of projects and domains
[*] External authentication with Identity
[*] Integrate Identity with LDAP
[*] Upgrading Keystone
[*] Keystone tokens
[*] Configure Identity service for token binding
[*] Fernet - Frequently Asked Questions
[*] Use trusts
[*] Caching layer
[*] Security compliance and PCI-DSS
[*] Performance and scaling
[*] Example usage and Identity features
[*] Authentication middleware with user name and password
[*] Identity API protection with role-based access control (RBAC)
[*] Troubleshoot the Identity service
[*] Token provider
[*] Federated Identity
[*] Credential Encryption
Configuration Options
[*] Keystone Configuration Options
[*] API Configuration options
[*] Policy configuration
[*] Sample configuration files
页:
[1]