Keystone Architecture
Keystone has two major components: Authentication and a Service Catalog.
Authentication
In providing a token-based authentication service for OpenStack, keystone
has several major concepts:
- Tenant
- A grouping used in OpenStack to contain relevant OpenStack services. A
tenant maps to a Nova “project-id”, and in object storage, a tenant can
have multiple containers. Depending on the installation, a tenant can
represent a customer, account, organization, or project.
- User
- Represents an individual within OpenStack for the purposes of
authenticating them to OpenStack services. Users have credentials, and may
be assigned to one or more tenants. When authenticated, a token is
provided that is specific to a single tenant.
- Credentials
- Password or other information that uniquely identifies a User to Keystone
for the purposes of providing a token.
- Token
A token is an arbitrary bit of text that is used to share authentication
with other OpenStack services so that Keystone can provide a central
location for authenticating users for access to OpenStack services. A
token may be “scoped” or “unscoped”. A scoped token represents a user
authenticated to a Tenant, where an unscoped token represents just the
user.
Tokens are valid for a limited amount of time and may be revoked at any
time.
- Role
- A role is a set of permissions to access and use specific operations for
a given user when applied to a tenant. Roles are logical groupings of
those permissions to enable common permissions to be easily grouped and
bound to users associated with a given tenant.
Service Catalog
Keystone also provides a list of REST API endpoints as a definitive list for
an OpenStack installation. Key concepts include:
- Service
- An OpenStack service such as nova, swift, glance, or keystone. A service
may have one of more endpoints through which users can interact with
OpenStack services and resources.
- Endpoint
- A network accessible address (typically a URL) that represents the API
interface to an OpenStack service. Endpoints may also be grouped into
templates which represent a group of consumable OpenStack services
available across regions.
- Template
- A collection of endpoints representing a set of consumable OpenStack
service endpoints.
Components of Keystone
Keystone includes a command-line interface which interacts with the Keystone
API for administrating keystone and related services.
- keystone - runs both keystone-admin and keystone-service
- keystone-admin - the administrative API for manipulating keystone
- keystone-service - the user oriented API for authentication
- keystone-manage - the command line interface to manipulate keystone
Keystone also includes WSGI middelware to provide authentication support
for Nova and Swift.
Keystone uses a built-in SQLite datastore - and may use an external LDAP
service to authenticate users instead of using stored credentials.