Much of the design is precipitated from the expectation that the auth backendsfor most deployments will actually be shims in front of existing user systems.
The Services
keystone是由一群内部服务组成的,这些服务又包括一个或多个endpoints。
Many of these services are used in a combined fashion by thefrontend,比如,一个验证访问将会使用Identity service,如果成功,将会使用Token service来创建和返回一个token。
1. Identity
Identity service提供了证书的验证和Users,Tenants和Roles,以及相关元数据管理。
在这个基础上,这个服务管理上述那些数据,并有这些数据的CRUD操作。
In other cases, this data is pulled, by varying degrees, from an authoritativebackend service. An example of this would be when backending on LDAP. SeeLDAP Backend below for more details.
2. Token
Token的服务是用来,当user或tenant证书验证通过,验证和管理Tokens的。
3. Catalog
Catalog service提供了一个endpoint的注册。
4. Policy
Policy service提供了一个rule-based验证引擎和相关联合规则管理接口。
Application Construction
对于service来说,keystone就是一个HTTP 前端。就像其他OpenStack application,这些可以使用python WSGI接口,并且application能够使用Paste来一起配置。这个application的HTTP endpoints是由WSGI中间件的pipelines组成的。
[pipeline:public_api]
pipeline = token_auth admin_token_auth json_body debug ec2_extension public_service
按照顺序分别使用了 keystone.common.wsgi.ComposingRouter的子类来连接URLS到Controllers(一个keystone.common.wsgi.Application
的子类)。在每个Controller中,一个或多个Managers被加载(例如,看keystone.catalog.core.Manager),Manager是一个轻薄的包类,
它加载基于keystone配置的相对应的服务驱动。
Identity
keystone.identity.core.TenantController
keystone.identity.core.UserController
keystone.identity.core.RoleController
Catalog
keystone.catalog.core.ServiceController
keystone.service.VersionController
Token
keystone.service.TokenController
Misc
keystone.service.ExtensionController
policy service和对应的manager不以URL前端出现,当然也没有对应的Controller。
Service Backends
每个配置好的service都会使用一个backend来允许keystone适应不同的环境和需要。每个服务的backend都在keystone.conf文件中对应服务参数的key值driver中。
每个backend下都存在一个命名为Driver的基类,这些服务的基类是:
keystone.identity.core.Driver
keystone.token.core.Driver
如果你要为keystone service实现一个backend driver,那应该是这些类的子类。这些Drivers定义的apis的默认response是一个
keystone.service.TokenController.
1. KVS Backend
A simple backend interface meant to be further backended on anything that can support primary key lookups, the most trivial implementation being an in-memorydict.
Supports all features of the general data model.
2. SQL Backen
A SQL based backend using SQLAlchemy to store data persistently. Thekeystone-manage command introspects the backends to identify SQL based backendswhen running “db_sync” to establish or upgrade schema. If the backend driverhas a method db_sync(), it will be invoked to sync and/or migrate schema.3. PAM Backend
一个额外的简单backend,使用当前系统的PAM service来验证,提供Users和Tenants的one-to-one关系。
4. Templated Backend
Largely designed for a common use case around service catalogs in the Keystoneproject, a Catalog backend that simply expands pre-configured templates toprovide catalog data.
Example paste.deploy config (uses $ instead of % to avoid ConfigParser’sinterpolation):
[DEFAULT] catalog.RegionOne.identity.publicURL = http://localhost:$(public_port)s/v2.0 catalog.RegionOne.identity.adminURL = http://localhost:$(public_port)s/v2.0 catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0 catalog.RegionOne.identity.name = 'Identity Service'
5. LDAP Backend
The LDAP backend stored Users and Tenents in separate Subtrees. Roles are recordedas entries under the Tenants.Data Model
Keystone从最初的设计到现在可以支持多个类型的backends,如此多的方法和数据类型。主要有的数据类型如下:
User:有账户证书,联合一个或多个tenants
Tenant:openstack的单元所有者,包含一个或多个用户
Role:a first-class piece of metadata associated with many user-tenant pairs.
Token:identifying credential associated with a user or user and tenant
Extras:bucket of key-value metadata associated with a user-tenant pair.
Rule:执行一个操作的一系列需要
同时data model允许users与Tenants之间多对多的关系,Extras和User-Tenant对是多对一的关系。