Having previously introduced the most enduring OpenStack component, Nova, this article will now cover the current core element of OpenStack—Keystone
Table of Contents
What is Keystone?
As described in the official documentation:
Keystone is an OpenStack service that implements the OpenStack Identity API to provide authentication, service discovery, and distributed multi-tenant authorization for API clients.
In short, you can think of it as the authentication service within OpenStack, and it also keeps track of all OpenStack API endpoints.
Keystone Architecture
Keystone consists of multiple internal services, which are typically used together. For example, when an authentication request is made, it first passes through the Identity service to verify the user's credentials, and upon successful verification, the Token service generates a token to send to the user.
Keystone includes the following services:
- Identity
- Resource
- Assignment
- Token
- Catalog
We will now briefly describe the functionalities of these services.
Identity
The Identity service provides authentication for users and groups, using their credentials. In basic scenarios, these credential details are stored in a backend data store managed by the Identity service. In more complex cases, users may choose to use different backends to provide services, such as LDAP.
Users
Users are essentially a single API access point. By default, they exist under a domain, which is set to default. User names are not globally unique across all domains, but they are unique within the same domain.
Groups
A group is a collection of users. Similarly, groups must exist under a domain and are not globally unique, but are unique within the same domain.
Resource
The resource service manages data related to projects and domains.
Projects
Projects represent the fundamental units within OpenStack, as all resources in OpenStack are owned by specific projects. Like users and groups, projects must be associated with a specific domain, so project names are not globally unique, but are unique within their respective domains.
Domains
A domain is a top-level container for projects, users, and groups. All the previously mentioned resources are owned by a domain. Each domain defines a namespace, within which API-visible name attributes are stored. Keystone provides a default domain named Default. Most attributes in Keystone are unique only within their domain.
The concept of domain is relatively complex, usually only using the default domain in smaller deployments, but in larger deployments, multiple domain partitions may be used.
Assignment
Assignment service provides data on roles and role assignments, implementing OpenStack's RBAC (Role-Based Access Control).
Actual quota management can be performed through the policy.yaml configuration files in each OpenStack component.
Roles
Role determines the level of permissions granted to a user. Roles can be assigned at the domain or project level. A role can be assigned to a user or a group, and users within a group inherit the permissions associated with that role.
Role Assignments
A record of a role, resource, and identity (Identity) is a tuple consisting of three elements: role, resource, and identity.
Token
After a user passes authentication, a token is issued, and subsequent requests to services are authenticated via that token. The token service manages and authenticates tokens.
Catalog
Catalog service provides an endpoint registry for service discovery. It essentially lists all OpenStack service endpoints available in the deployment.
Summary
This article has introduced the core of OpenStack services—Keystone. Although some concepts were briefly abstracted, understanding them becomes clearer after actual use. The next article will cover OpenStack Neutron, which provides networking services.
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.