本博客欢迎转发,但请保留原作者信息(@孔令贤HW)!内容系本人学习、研究和总结,如有雷同,实属荣幸!
Users:表示API的一个特定使用者,属于一个指定的domain。可以赋予user权限(role),每一个user-domain或user-project都可以有一组权限。
Groups:表示一组拥有某权限的用户,属于一个指定的domain。可以赋予group特定的role,此时group内的user都自动具备该role表示的权限。
Credentials:与user关联的认证凭据。一个user可能有一个或多个credential,一个credential与某一个project关联。
Projects:在OpenStack中表示一组资源(也就Folsom版本的Tenants,Tenant概念在G版被废弃),一个project属于某一个domain。
Domains:表示一组projects和users的集合。每一个project或user只能属于一个domain,但user可以属于多个projects。domain有命名空间的概念,即在一个命名空间内的名称是否是全局唯一。
Roles:角色,表示一组在project或domain范围内允许的操作。
Services:表示一类服务。
Endpoints:表示服务的URL。
Tokens:表示认证用户的标识,有认证服务生成。没有token的资源URL,token的使用是在X-Auth-Token和X-Subject-Token头部
对象之间的关系如下:
本博客欢迎转发,但请保留原作者(@孔令贤HW)信息!内容系本人学习、研究和总结,如有雷同,实属荣幸!
- 浏览: 303549 次
- 性别:
- 来自: 西安
最新评论
-
happyxiaomo:
...
【openstack】openstack的调度(Scheduler) -
linuxgao:
请问,OpenStack在关心消息返回值的情况下,两个队列一发 ...
【架构】关于RabbitMQ -
wangchao719:
zfj_0928 写道引用1. 消息ACK,通知RabbitM ...
【架构】关于RabbitMQ -
zfj_0928:
引用1. 消息ACK,通知RabbitMQ消息已被处理,可以从 ...
【架构】关于RabbitMQ -
zhangwind:
写的好,很感谢!
【架构】关于RabbitMQ
评论
2 楼
lynnkong
2013-02-04
lzy.je 写道
Just forward domain namespace explaining of Keystone v3 API from Henry Nash mail (henryn@linux.vnet.ibm.com):
Thanks for your addition. I just follow "https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md"
I think the design goal of components of OpenStack is more and more for public cloud, including "cell" that you told me in my last post. I'm a beginner, and just follow and learn.
1 楼
lzy.je
2013-02-03
Just forward domain namespace explaining of Keystone v3 API from Henry Nash mail (henryn@linux.vnet.ibm.com):
So a few things are going on here:
1) Traditionally (in the pre-domain world), user name was "globally unique"....which really means unique within all openstack services sharing a keystone instance. The same was true of tenant name.
2) In v3, if we kept this the same, then enterprises would find this restriction (particularly the one for tenants) unacceptable - some of them will expect free-rein over what they can call any names attribute (e.g. project name, user name etc.) inside the domain in which they are being hosted
3) So v3, optionally allows the creation of a domain with a private name space for user names and/or project names
4) For Users, when they are created, you can optionally specify the domain they are "owned by". If you specify a domain (say, "Kent") which was created with a private user name space, then for that specific user, its name only has to be unique within that domain (i.e. there can be other "David"'s in other private user space domains as well as a "David" shared across all other non-private domains). That is what the comment is trying to say.
5) To answer your other questions specifically:
- How do you tell if a user name is globally or domain-unique? For a v3 api, the domain_id of the owning domain is in the user entity, look that up and see if it is has the 'private_user_namespace' flag set to True.
- Who is the owner of a "globally unique username"? It can be any domain that has 'private_user_namespace' flag set to False, including the default domain
On 26 Jan 2013, at 17:08, Dolph Mathews wrote:
- In your example of the two different domains, these would not be the same user in the current implementation that is underway - i.e. a user is either globally-unique or domain-unique.
As an aside, we had the discussion as to whether we should just say that all domains have private name spaces....although we are trying to balance (as usual) backward compatibility with adding new features. For instance, one implication of a domain with a private user namespace is that, as Dolph says, you must either supply user_ID or username+domain in order to authenticate. We wanted to keep that requirement to ONLY those domains that really needed it...not make it the norm for v3. This would, for instance, allow a Folsom cloud provider, who hosts many individual or small enterprise accounts, to upgrade to Grizzly and
a) Continue to host all those existing accounts (by default the all users and projects will be in the default domain)
b) Start to add medium enterprises in domains (who perhaps are happy without private namespaces)...without affecting a)
c) Start to add some larger enterprises in domains with their own private namespaces...without affecting a) or b)
Henry
So a few things are going on here:
1) Traditionally (in the pre-domain world), user name was "globally unique"....which really means unique within all openstack services sharing a keystone instance. The same was true of tenant name.
2) In v3, if we kept this the same, then enterprises would find this restriction (particularly the one for tenants) unacceptable - some of them will expect free-rein over what they can call any names attribute (e.g. project name, user name etc.) inside the domain in which they are being hosted
3) So v3, optionally allows the creation of a domain with a private name space for user names and/or project names
4) For Users, when they are created, you can optionally specify the domain they are "owned by". If you specify a domain (say, "Kent") which was created with a private user name space, then for that specific user, its name only has to be unique within that domain (i.e. there can be other "David"'s in other private user space domains as well as a "David" shared across all other non-private domains). That is what the comment is trying to say.
5) To answer your other questions specifically:
- How do you tell if a user name is globally or domain-unique? For a v3 api, the domain_id of the owning domain is in the user entity, look that up and see if it is has the 'private_user_namespace' flag set to True.
- Who is the owner of a "globally unique username"? It can be any domain that has 'private_user_namespace' flag set to False, including the default domain
On 26 Jan 2013, at 17:08, Dolph Mathews wrote:
- In your example of the two different domains, these would not be the same user in the current implementation that is underway - i.e. a user is either globally-unique or domain-unique.
As an aside, we had the discussion as to whether we should just say that all domains have private name spaces....although we are trying to balance (as usual) backward compatibility with adding new features. For instance, one implication of a domain with a private user namespace is that, as Dolph says, you must either supply user_ID or username+domain in order to authenticate. We wanted to keep that requirement to ONLY those domains that really needed it...not make it the norm for v3. This would, for instance, allow a Folsom cloud provider, who hosts many individual or small enterprise accounts, to upgrade to Grizzly and
a) Continue to host all those existing accounts (by default the all users and projects will be in the default domain)
b) Start to add medium enterprises in domains (who perhaps are happy without private namespaces)...without affecting a)
c) Start to add some larger enterprises in domains with their own private namespaces...without affecting a) or b)
Henry
发表评论
-
【OpenStack】OpenStack服务的启动
2013-03-15 13:35 12287OpenStack服务的启动 本博客欢迎转发,但请保 ... -
【OpenStack】使用Rest工具向OpenStack消息发送指导
2013-03-13 20:15 3385本博客欢迎转发,但请保留原作者(新浪微博:@孔令贤HW;博客 ... -
【OpenStack】【转】Openstack之Cinder服务初探
2013-03-11 14:22 2092这篇blog是一个同事不久前写的,得到允许后,在此转载 ... -
【OpenStack】创建虚拟机时与Quantum的交互(F版)
2013-02-27 14:33 1807本博客欢迎转发,但请保留原作者(新浪微博:@孔令贤HW;博 ... -
【OpenStack】 Grizzly中的nova-conductor
2013-02-24 11:26 5360OpenStack Grizzly中的nova ... -
【OpenStack】Folsom版Quantum对象模型
2013-02-19 11:43 1538本博客欢迎转发,但请保留原作者信息(@孔令贤HW)!内容系 ... -
【openstack】Quantum(Folsom版)中update_floatingIP流程
2013-02-18 17:56 1294本博客欢迎转发,但请保留原作者信息(@孔令贤HW)!内容系 ... -
【OpenStack】G版中关于Nova的Cell
2013-02-02 03:02 4054本博客欢迎转发,但请保留原作者(新浪微博:@孔令贤HW;博 ... -
【OpenStack】Grizzly版本中Scheduler filter机制详解
2013-01-26 18:11 2594Grizzly版本中Scheduler filter机制详 ... -
【OpenStack】Grizzly目前版本相对于Folsom的变更
2013-01-24 10:05 2970本博客欢迎转发,但请保留原作者(新浪微博:@孔令贤HW;博 ... -
Grizzly中的LoadBalancer初步分析
2013-01-22 09:41 2147Grizzly中的LoadBalancer初步分析 ... -
OpenStack网络知识片断(持续更新)
2012-12-26 16:14 13322OpenStack网络知识片断(持续更新) ... -
Quantum中的L3模型实战
2012-12-20 09:01 5060Quantum中的L3模型实战 ... -
在OpenStack使用XenServer资源池浅析
2012-12-13 13:33 3059在OpenStack使用XenServer资源池浅析 ... -
使用Komodo远程调试python(OpenStack)
2012-12-10 14:42 7193使用Komodo远程调试python(OpenStack) ... -
如何在openstack环境中实现定制化功能
2012-12-03 20:02 2763本博客欢迎转发,但请保留原作者(@孔令贤HW)信息!内容系本 ... -
由浅入深(源码)分析nova的资源刷新机制
2012-11-30 17:06 5136本博客欢迎转发,但请保留原作者(@孔令贤HW)信息!内容系本 ... -
【转】Ubuntu12.04 OpenStack Folsom 安装(VLAN模式)
2012-11-27 16:45 4010Ubuntu12.04 OpenStack Folsom ... -
【openstack】Nova中的policy
2012-11-10 13:32 3995Nova中的policy 本博 ... -
【openstack】Nova(Folsom)虚拟化层Driver分析
2012-11-07 11:50 3790【转载】Nova(Folsom)虚拟化层Driver分析 ...
相关推荐
此外,OpenStack通常运行在Ubuntu或CentOS等Linux发行版上,确保系统是最新的,通过运行`apt-get update`或`yum update`来更新软件包。 2. **安装依赖**:Keystone依赖于一些库,如MySQL或PostgreSQL数据库、...
OpenStack Keystone token机制详解 OpenStack Keystone 是 OpenStack 的身份验证机制,token 是用户的一种凭证,需拿正确的用户名/密码向 Keystone 申请才能得到。token 是 OpenStack 中的核心概念之一,用户访问 ...
OpenStack 安装 Keystone OpenStack 安装 Keystone 是 OpenStack 体系下面的认证、授权、和目录服务管理的重要组件。Keystone 通常是我们接触 OpenStack 的第一个组件,它可以管理其他 OpenStack 服务,每个服务都...
OpenStack Keystone 是 OpenStack 中的核心服务,主要负责身份管理和授权。它提供了认证、服务目录、令牌管理和租户管理等核心功能。在使用 Keystone 的命令行工具时,了解和掌握相关命令是十分重要的。 1. 用户...
手动安装openstack Mitaka版
### OpenStack M 版本离线搭建详解 #### 一、概述 OpenStack M 版本,即 OpenStack Mitaka 版本,是 OpenStack 的一个成熟版本之一,广泛应用于私有云建设和管理中。然而,在很多企业的环境中,出于安全考虑,内部...
OpenStack Victoria版安装部署教程详细地涵盖了在CentOS 8.4系统上建立OpenStack云环境的全过程。这个教程由17个章节组成,旨在帮助读者理解并实践OpenStack组件的配置和安装。 首先,安装环境准备阶段,你需要至少...
OpenStack通常由多个服务组成,包括Nova(计算服务)、Neutron(网络服务)、Glance(镜像服务)、Cinder(块存储服务)、Swift(对象存储服务)等。每个服务都有自己的源代码仓库,因此安装前需要分别获取这些服务...
在部署OpenStack F版(Folsom)时,安装和配置Keystone是至关重要的第一步。下面我们将深入探讨Keystone的安装过程以及相关脚本的作用。 首先,让我们了解一下Keystone在OpenStack中的核心功能。Keystone提供了认证...
官方离线安装包,测试可用。请使用rpm -ivh [rpm完整包名] 进行安装
OpenStack Identity(Keystone)服务为运行OpenStack Compute上的OpenStack云提供了认证和管理用户、帐号和角色信息服务,并为OpenStack Object Storage提供授权服务。 Keystone体系结构 Keystone 有两个主要部件:...
官方离线安装包,测试可用。请使用rpm -ivh [rpm完整包名] 进行安装
官方离线安装包,测试可用。使用rpm -ivh [rpm完整包名] 进行安装
在云计算平台上构建MOOC模型,可以利用OpenStack提供的API接口来实现快速部署和高效管理。结合Hadoop大数据平台的技术优势,可以为MOOC模型提供强大的数据处理能力。Hadoop是一个开源框架,允许使用简单的编程模型跨...
官方离线安装包,测试可用。使用rpm -ivh [rpm完整包名] 进行安装
OpenStack Keystone是一个核心的开源组件,属于OpenStack云计算平台的一部分。Keystone的主要功能是提供身份服务,为OpenStack其他组件如Nova、Glance、Swift等提供认证、授权和账户管理服务。Keystone在OpenStack...
联想ThinkCloud OpenStack基础版是一款基于OpenStack开源云平台的企业级解决方案,旨在为企业构建高效、稳定、易管理的私有云环境。这份技术白皮书详细介绍了联想在OpenStack基础上开发的产品特性,以及如何满足现代...
- **Controller节点**:主要负责OpenStack的核心服务,如Keystone、Glance、Neutron等,这些服务是OpenStack的控制平面,用于管理整个系统的运行状态。 - **Compute节点**:负责运行虚拟机实例,通常会安装Nova...
快照Maven 存储库https://maven.java.net/content/repositories/snapshotshttps://raw.github.com/woorea/maven/master/snapshots可用工件OpenStack身份服务OpenStack Keystone 模型OpenStack Keystone 客户端...
OpenStack Keystone OpenStack Keystone通过HTTP提供身份验证,授权和服务发现机制,主要供OpenStack系列中的项目使用。 最常见的是将它部署为现有身份系统(例如LDAP)的HTTP接口。 开发人员文档(其来源在doc/...