Identity & Multi-tenancy Overview
Private Cloud Director Identity Service provides API client authentication, service discovery, and distributed multi-tenant authorization for your Private Cloud Director environment.
Multi-Tenancy
Multi-tenancy is a core construct in Private Cloud Director. Following are the 4 key multi-tenancy constructs in Private Cloud Director.
Domains
Regions
Tenants
Users & Groups
Using a combination of these, you can create a Private Cloud Director deployment for:
Single team with multiple users
Multiple teams, each with multiple users
Multiple separate sub-organizations, each with its own set of teams and users
Muti-tenancy is enabled by the Private Cloud Director Identity Service.
Identity Service
The Private Cloud Director Identity Service is organized as a group of services exposed on one or many endpoints. Many of these services are used in a combined fashion by clients such as the user interface, the pcdctl CLI etc, in order to authenticate a user and authorize him to execute an API request. For example, an authenticate call will validate user/tenant credentials with the Identity service and, upon success, create and return a token with the Token service. The Private Cloud Director Identity Service is built using open source project Keystone behind the scenes.
Identity
The identity refers to the permissions that a user has on a resource. The Identity service provides authorization credential validation and data about users and groups.
By default, when you create users or groups using the Identity Service, this data about users and groups is managed directly by the Identity service, allowing it to also handle all CRUD operations associated with this data. This happens for example when you create a user in your Private Cloud Director setup by navigating to Tenants and Users option under the settings menu in the UI, then select 'Users' from the left side nav bar and then create a new user. You can also do this by using pcdctl CLI or identity service API. These types of users and groups are called local users and groups.
You can also integrate the Private Cloud Director Identity Service to work with your enterprise identity provider. In this case, the information about users and groups is managed by your authoritative backend service. An example of this would be when the Identity service acts as a frontend for LDAP. In that case the LDAP server is the source of truth and the role of the Identity service is to relay that information accurately.
Users
Users represent an individual API consumer. A user itself must be owned by a specific domain. Thus all user names are not globally unique, but only unique to their domain.
Groups
Groups are a container representing a collection of users. A group itself must be owned by a specific domain, and hence all group names are not globally unique, but only unique to their domain.
Domains
Domains are a high-level container for projects, users and groups. Read more here about Domains.
Tenants (Projects)
Tenants (also called Projects in API) represent the base unit of ownership in Private Cloud Director. Read more here about Tenant.
Roles
Roles dictate the level of authorization the end user can obtain. Roles can be granted at either the domain or tenant level. A role can be assigned at the individual user or group level. Role names are unique within the owning domain.
Role Assignments
Role assignment is a 3-tuple that has a Role, a Resource and an Identity. A Resource is any Private Cloud Director object to which permissions can be assigned.
Token
Tokens are used to authenticate and authorize a user's interactions with the various Private Cloud Director APIs. Tokens come in many flavors, representing various authorization scopes and sources of identity. There are also several different “token providers”, each with their own user experience, performance, and deployment characteristics.
The Token service validates and manages tokens used for authenticating requests once a user’s credentials have already been verified.
Service Catalog
The Catalog service provides an endpoint registry used for endpoint discovery.
Last updated
Was this helpful?