The previous post introduced Nova, the oldest OpenStack component. This post will introduce Keystone, which is currently considered the most core component in OpenStack.
Table of Contents
What is Keystone?
The official documentation describes it as follows:
Keystone is an OpenStack service that provides API client authentication, service discovery, and distributed multi-tenant authorization by implementing the OpenStack Identity API.
Simply put, you can think of it as the authentication service in OpenStack, which also records the locations (endpoints) of all OpenStack APIs.
Keystone Architecture
Keystone is composed of several different internal services, which are typically used in combination. For example, an authentication request is first verified by the Identity service using the credentials provided by the user; upon success, the Token service generates a token for the user.
Keystone includes the following services:
- Identity
- Resource
- Assignment
- Token
- Catalog
We will introduce the functions of these services one by one.
Identity
The Identity service provides credential verification for users and groups. In the most basic case, these credentials are stored by the Identity service in a backend database. In more complex scenarios, users can choose to use different backends to provide the service, such as LDAP.
Users
A user basically represents an individual API consumer. Users must belong to a specific domain (defaulting to 'default'). Usernames are not globally unique, but they are unique within the same domain.
Groups
As the name suggests, a group is a collection of users. Similarly, groups must exist within a domain and are not globally unique, but are unique within the same domain.
Resource
The Resource service provides information regarding projects and domains.
Projects
Projects represent the basic unit of ownership in OpenStack, as all resources in OpenStack should be owned by a specific project. Like users and groups, a project itself must be owned by a specific domain; therefore, project names are not globally unique but are unique within their domain.
Domains
A Domain is a high-level container for projects, users, and groups. Each of these resources is owned by a domain. Each domain defines a namespace where API-visible name attributes exist. Keystone provides a default domain called 'Default'. Most attributes in Keystone are unique only within their respective domain.
The concept of a Domain is somewhat complex; typically, smaller deployments only use the default Domain, whereas larger deployments may utilize multiple domains to partition permissions.
Assignment
The Assignment service provides data for roles and role assignments to implement OpenStack's Role-Based Access Control (RBAC).
Actual permission management can be handled within the policy.yaml configuration files of each OpenStack component.
Roles
Roles determine the level of authorization a user receives. They can be assigned at the domain or project level. Roles can be granted to users or groups, with users in a group inheriting the permissions associated with that group's roles.
Role Assignments
This records the data of the actual relationship between roles and resources, forming a 3-tuple consisting of the role, resource, and identity.
Token
Once a user is authenticated, a token is issued; subsequent service access is then authorized via this token. The Token service is responsible for managing and validating these tokens.
Catalog
The Catalog service provides an endpoint registry for endpoint discovery. It essentially maintains a record of all OpenStack service endpoints within the cluster.
Summary
Today we introduced Keystone, the core of OpenStack services. While many of Keystone's concepts are somewhat abstract, they become easier to understand through practical application. The next post will cover OpenStack Neutron, the service responsible for networking.
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.
