[Openstack] Keystone object model

Jesse Andrews anotherjesse at gmail.com
Wed Jun 22 00:29:49 UTC 2011


We need to make it more clear the relationship between keystone and user/tenants.  

When you authenticate against keystone, a service is sent a token with an associated User/Tenant.

The current backend of keystone supports a specific tenant/user model, but as far as the rest of openstack (nova/glance/swift/...), it should not make any assumptions about 1-1, 1-many, many-many.  

On Jun 20, 2011, at 8:32 AM, Rouault, Jason (Cloud Services) wrote:

> Is there an object data model for Keystone and a mapping to current Swift and Nova concepts?  I have the following questions:
>  
> 1)      The relationship between a Keystone Tenant and a Swift Account.  Is it 1-to-1, 1-to-many, many-to-many, what?

Should be 1-1 although I've not looked at the swift implementation.

> 2)      The relationship between a Keystone Tenant and a Nova Project. Is it 1-to-1, 1-to-many, many-to-many, what?

a tenant is a project - the KeystoneAuthShim does this conversion:

https://github.com/rackspace/keystone/blob/master/keystone/auth_protocols/nova_auth_token.py

> 3)      Relationship between a Keystone User and a Tenant?  Can a user be a member of multiple Tenants?

A user can be a member of multiple tenants by adding roles.

> 4)      The plan for group usage in Keystone.  I see three types of groups, Tenant Groups, User Groups, and Global Groups

Groups are being removed and are an extensions for later

> 5)      How will Keystone groups map to the notion of group in Swift?

above

> 6)      How will Keystone groups be used for Nova?

above

----------------------

All the CRUD around user/tenants/roles is specific to an implementation of keystone and is not part of the keystone API. 

Service providers and enterprise clouds will probably either provide their own implementation which would backend to existing accounts / users.

Jesse



More information about the Openstack mailing list