1,Identity service generates authentication tokens that permit access to the openstack service REST APIs,clients obtain this token and the URL catelog endpoints for other service APIs by supplying their valid credentials to the authentication service 获取token;

2,Each time you make a REST API request to an openstack service, you supply you authentication token in the X-Auth-Token request header 在X-Auth-Token使用上面获取的tokens;

3,openstack Identity protect its APIs by defining policy rules based on a role-based access control(RBAC)基于角色的访问控制;

4,page lists the Identity API operations in the following order
Authentication and token management
credentials,domains,domain configuration,group,policies,projects,regions,roles,role assignments,service catalog and endpoints,users

5, grant authorization on a specific project or domain
the body of authentication request must include a payload that specifies the authentication method which is password or token
the credenntials and optionally the authorization scope
you can scope a token to project or domain or the token can be unscope
you cannot scope a token to both a project and domain

tokens have IDs,which the Identity API returns in the X-Subject-Token