Chapter 2. Concepts

Your API Key is a unique alphanumeric identifier associated with your account. You can use your API key as an authentication credential, paired with your username, to generate an authentication token which will be recognized by the services in your service catalog. To find or generate your API key, login to the Rackspace Cloud Control Panel at http://mycloud.rackspace.com/.

Authentication is the act or process of confirming the identity of a user or the truth of a claim. The authentication service confirms that an incoming request is being made by the user who claims to be making the request. It does this by validating a set of claims that the user makes. These claims are initially in the form of a set of credentials. After initial confirmation based on credentials, the authentication service issues a token to the user; when making subsequent requests, the user can provide the token as evidence that the user's identity has already been authenticated.

Credentials are data that belong to and identify a specific user. Because credentials are assumed to be known by only one user, users who present valid credentials are assumed to have proven that they are who they say they are. Examples of credentials include:

An endpoint is an entry point to an API. The endpoint is defined as a set of base URLs. API operations are defined relative to these URLs. An API may offer several regional endpoints for a single API. Rackspace provides two authentication endpoints: one for US-based accounts and one for UK-based accounts. To use v2.0 of the API for authentication, specify the API version as shown below:

Your account may be based in either the US or the UK; this is not determined by your physical location but by the location of the Rackspace retail site which was used to create your account:

If you are unsure how your account was created, use the Rackspace contact information at either site to ask for help.

A role is a personality that a user assumes when performing a specific set of operations. A role includes a set of rights and privileges. A user assuming a role inherits the rights and privileges associated with the role. A token that is issued to a user includes the list of roles the user can assume. When a user calls a service, that service determines how to interpret a user's roles. A role that grants access to a list of operations or resources within one service may grant access to a completely different list when interpreted by a different service.

A service provides one or more endpoints through which users can access resources and perform operations. Examples of OpenStack services include Compute (Nova), Object Storage (Swift), and Image Service (Glance).

Your service catalog is the list of services available to you, as returned along with your authentication token and an expiration date for that token. All the services in your service catalog should recognize your token as valid until it expires.

The catalog listing for each service provides at least one endpoint URL for that service. Other information, such as regions and versions and tenants, is provided if it's relevant to your access to this service.

A sub-user, also called a sub-account, is a child of the account's fully-privileged administrative user. Each account has exactly one administrative user, holding the identity:user-admin role; optionally, one or multiple sub-users can be created, each holding the identity:default role. Each sub-user shares its parent's tenant information, group memberships, and endpoints.

A tenant is a container used to group or isolate resources and/or identity objects. Depending on the service operator, a tenant may map to a customer, account, organization, or project.

A token is an opaque string that represents an authorization to access cloud resources. Tokens may be revoked at any time and are valid for a finite duration.

A user is a digital representation of a person, system, or service who consumes cloud services. Users have credentials and may be assigned tokens; based on these credentials and tokens, the authentication service validates that incoming requests are being made by the user who claims to be making the request, and that the user has the right to access the requested resources. Users may be directly assigned to a particular tenant and behave as if they are contained within that tenant.