Keystone is an OpenStack identity service that provides API client authentication, service discovery, and distributed multi-tenant authorization. The service manages user databases as well as OpenStack service catalogs and their API endpoints.
Internal services are grouped within Keystone and are exposed on one or many endpoints. The internal services are used in combination on the frontend to completed actions. For example, an authenticate call will validate user/project credentials with the Identity service and upon its successful validation, will create and return a token with the Token Service.
Create, manage, and optimize large scale deployments easily with our OpenMetal Cloud Hosting.
Keystone Services and Components
There are many services and components that comprise the Keystone service. An overview of all elements are listed below:
- Identity: The Identity service provides auth credential validation and data about users and groups.
- Users: Digital representations of individual API consumers that use OpenStack. Keystone reviews incoming token requests and ensures they are coming from a valid user. Because a user must be owned by a specific domain, user names are only unique to their domain and are not globally unique.
- Groups: Containers representing a collection of users. Because a group must be owned by a specific domain, group names are only unique to their domain and are not globally unique.
- Resource: The Resource provides data about projects and domains.
- Projects: Represent the base unit of ownership in OpenStack. All resources in OpenStack should be owned by a specific project. Because a project must be owned by a specific domain, project names are only unique to their domain and are not globally unique. Projects not given a domain at the time of creation are added to the default domain.
- Domains: High-level containers for projects, users and groups. Domains provide a namespace where an API-visible name attribute exists. They can be used to delegate the management of OpenStack resources.
- Assignment: The Assignment service provides data about roles and role assignments.
- Roles: Assigned user rights and privileges for performing a specific set of operations. Keystone includes a list of user roles when the user token is issued. Roles can be granted at either the domain or project level and can be assigned at the individual user or group level. Role names are unique within the owning domain.
- Role Assignments: A 3-tuple that has a Role, a Resource, and an Identity.
- Token: The Token service validates and manages tokens used for authenticating requests. Tokens are bits of text used to gain access to resources and are valid for a short amount of time.
- Catalog: The Catalog service provides an endpoint registry used for endpoint discovery.
Keystone and the other OpenStack services and tools allow you to manage your instances and resources quickly and easily. Read our article on OpenStack Networking Essentials to learn more. Experience OpenStack and Keystone in action, learn more about OpenStack powered OpenMetal solution and the tools that form this robust cloud tool.