Ask Your Question

Communication between keystone and swift storage

asked 2018-01-29 01:44:17 -0500

napoelon2110 gravatar image

updated 2018-01-31 00:33:54 -0500


I'm learning open stack.

I do not understand the authentication process between keystone and swift storage in the picture below. (image description)

Can you help me make this commnunication in flow chart or anything easier to understand. Thank you in advance.

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted

answered 2018-01-31 03:51:43 -0500

There are several ways of getting authenticated; when you use the CLI, you normally start at step 3, providing credentials (user and password), project and domain. The image still uses the term tenant for project.

Keystone replies with a token, which Alice sends to the service, e.g. Swift.

Step 4: The service contacts Keystone to validate the token. I don’t know whether the check “does it allow the service usage” is really done at this stage.

Step 5: Keystone replies that the token is valid and provides information including the roles this user has in the project. This is important, since roles are the most common authorization factor when checking the policy.

Keystone has done its work. Steps 6 and 7 just execute the request.

I believe that Horizon starts with step 1, since you log on without providing the project. In step 2, Horizon obtains the possible projects, from which Alice can select using a drop-down list once she is logged on. At this point, Horizon probably obtains a token that it reuses as long as it doesn’t expire. That is, for each further action like launching an instance, Horizon will start at the 2nd half of step 3 (not sure if that is its behaviour, and if it can be configured).

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2018-01-29 01:44:17 -0500

Seen: 84 times

Last updated: Jan 31 '18