Ask Your Question
0

Communication between keystone and swift storage

asked 2018-01-29 01:44:17 -0600

napoelon2110 gravatar image

updated 2018-01-31 00:33:54 -0600

Hi,

I'm learning open stack.

I do not understand the authentication process between keystone and swift storage in the picture below.

https://camo.githubusercontent.com/3a270867d0207a859785591dc956762d66ee3cd5/687474703a2f2f322e62702e626c6f6773706f742e636f6d2f2d625069416635566b57694d2f56456f423458625a5270492f41414141414141414146732f41426c396961786e7968512f73313630302f4b657973746f6e655f6964656e746974794d67722d6469616772616d2e706e67 (image description)

Can you help me make this commnunication in flow chart or anything easier to understand. Thank you in advance.

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2018-01-31 03:51:43 -0600

There are several ways of getting authenticated; when you use the CLI, you normally start at step 3, providing credentials (user and password), project and domain. The image still uses the term tenant for project.

Keystone replies with a token, which Alice sends to the service, e.g. Swift.

Step 4: The service contacts Keystone to validate the token. I don’t know whether the check “does it allow the service usage” is really done at this stage.

Step 5: Keystone replies that the token is valid and provides information including the roles this user has in the project. This is important, since roles are the most common authorization factor when checking the policy.

Keystone has done its work. Steps 6 and 7 just execute the request.

I believe that Horizon starts with step 1, since you log on without providing the project. In step 2, Horizon obtains the possible projects, from which Alice can select using a drop-down list once she is logged on. At this point, Horizon probably obtains a token that it reuses as long as it doesn’t expire. That is, for each further action like launching an instance, Horizon will start at the 2nd half of step 3 (not sure if that is its behaviour, and if it can be configured).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-01-29 01:44:17 -0600

Seen: 38 times

Last updated: Jan 31 '18