DEV Community

Cover image for The Identity of OpenStack, Keystone
Choonho Son
Choonho Son

Posted on

The Identity of OpenStack, Keystone

Keystone, the heart of OpenStack's Identity

Authentication, Authorization is the starting point of API call. IAM in AWS, GCP, or Azure is core component for Authentication and Authorization. In the OpenStack, keystone works as IAM.

I want to understand how keystone works?

The basic concept of Authentication, Authorization in the micro service architecture is 1) there is a central identity which publishs token, 2) all other micro services validate token(authentication) and check permission (authorization)

Image description

Keystone v2 and v3

Keystone v3 supports Domain and Project

Image description

Token Types

Type Description Support From
UUID 32-bit UUID, Just random number
FERNET 256Bytes, symmetric encryption and signing Kilo (default since Queens)
JWS JSON Web Token, asymmetric cryptography Stein
  • Fernet and JWS has no databased backed

UUID 

[token]
provider = keystone.token.providers.uuid.Provider
Enter fullscreen mode Exit fullscreen mode

Image description

FERNET (Cryptographic Authentication Method) 

[token]
provider = keystone.token.providers.fernet.Provider
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
max_active_keys = <number of keys> # defaults is 3
Enter fullscreen mode Exit fullscreen mode

Image description

JWS (JSON Web Signature)

a type of JWT (JSON Web Token)

[token]
provider = jws
[jwt_tokens]
jws_public_key_repository = /etc/keystone/jws-keys/public
jws_private_key_repository = /etc/keystone/jws-keys/private
Enter fullscreen mode Exit fullscreen mode

Image description

Image description

Token Scope

Type Description
Un-scoped -
System interacting with resources at the system level, usually admin only
Domain Users and Groups
Project users to work on items that fit withinn a project scope

Reference

  • Integrating Keystone with large-scale centralized authentication

  • How OpenStack's Keystone handles authentication and authorization

https://www.redhat.com/sysadmin/keystone-identity-openstack

  • Deep Dive into Keystone Tokens and Lessons Learned

https://www.slideshare.net/slideshow/deep-dive-into-keystone-tokens-and-lessons-learned/54414862

  • Keystone JWS Tokens Past, Present, and Future

  • A Complete Guide to OpenID Connect in OpenStack

profile
Quadratic AI
 Promoted

Quadratic AI

Quadratic AI – The Spreadsheet with AI, Code, and Connections

  • AI-Powered Insights: Ask questions in plain English and get instant visualizations
  • Multi-Language Support: Seamlessly switch between Python, SQL, and JavaScript in one workspace
  • Zero Setup Required: Connect to databases or drag-and-drop files straight from your browser
  • Live Collaboration: Work together in real-time, no matter where your team is located
  • Beyond Formulas: Tackle complex analysis that traditional spreadsheets can't handle

Get started for free.

Watch The Demo πŸ“Šβœ¨

Top comments (0)

profile
DataStax
 Promoted

Image of DataStax

AI Agents Made Easy with Langflow

Connect models, vector stores, memory and other AI building blocks with the click of a button to build and deploy AI-powered agents.

Get started for free

πŸ‘‹ Kindness is contagious

Explore a trove of insights in this engaging article, celebrated within our welcoming DEV Community. Developers from every background are invited to join and enhance our shared wisdom.

A genuine "thank you" can truly uplift someone’s day. Feel free to express your gratitude in the comments below!

On DEV, our collective exchange of knowledge lightens the road ahead and strengthens our community bonds. Found something valuable here? A small thank you to the author can make a big difference.

Okay