原连接
http://blog.chinaunix.net/uid-21335514-id-3497996.html
keystone的v3 API与v2.0相比有很大的不同,从API的请求格式到response的返回结果都有差别,主要几点如下:
1. 引入了domain的概念,domain是在project,user, group之上抽象出的一个概念,是指
container for projects, users and groups
2. v3中用project代替了以前的v2.0的tenant概念
3. v3的验证/auth/tokens,相比v2.0的/tokens,token的ID不再在body中包含,而是在返回header中的X-Subject-Token
4. v3还在验证上引入plugin方式,
[auth]
methods = password,token
password = keystone.auth.methods.password.Password
token = keystone.auth.methods.token.Token
可以添加自己的plugin来对keystone自己的auth方式进行定制化
关于auth这一部分:因为token有scoped和non-scoped的区别:
Scoped
1. project
If a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project
2. domain
Alternatively, a domain name may be used to uniquely identify the project.
A token scoped to a project will also have a service catalog, along with the user's roles applicable to the project. Example response:
A token scoped to a domain will also have a service catalog along with the user's roles applicable to the domain. Example response:
Non-scoped
1. user
If the user is specified by name, then the domain of the user must also be specified in order to uniquely identify the user
因为社区的开发方式,keystoneclient的开发和keystone并不是完全同步,加上keystone的v3还没有完全开发完毕,
所以现在用的keystoneclient还不完全支持v3 keystone。如果你要提前用keystoneclient,那就需要修改其中v3的client的代码
5.兼容性
为了让v2.0 的scheme迁移到v3,v2.0会默认的使用(keystone,conf)
# default_domain_id = default
更多的参考资料,可以参看:
1. v3 API design:
https://etherpad.openstack.org/grizzly-keystone-v3api
2. v3 API doc
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md
