DEV Community

Muhammad Antar
Muhammad Antar

Posted on

KeyStone in OpenStack

1- Keystone :

Keystone is the identity service in openstack , verifies the user’s identity and provides information about which resources the user has access to.The Keystone project provides authentication, authorization , Provides authentication for other services as we found in last article like authentication for : Nova-Compute , Swift Object Storage , Neutron Networking , Glance Image , Cinder Block Storage and Horizon Dashboard .

2- Keystone Identity Flow :

Requests to the Identity service are made via an API call , Keystone Provides service catalog “Service API URL” which means any service will be added on openstack should be registered on keystone . Keystone saves info of roles , groups , users and these info could be from external identity like LDAP .Keystone also includes WSGI middelware to provide authentication support for Nova and Swift. Keystone has DB .

Flow :

A- User send credentials to the keystone .
B- User gets token from Keystone .
C- User send request + token to openstack services .
D- Keystone check the tokens with openstack services .
E- User recieves response from openstack service .
3- Keystone Architecture Concepts :

A- Services : Keystone is organized as a group of internal services exposed on one or many endpoints .

B- Identity : The Identity service provides auth credential validation and data about users and groups .

C- Users : represent an individual API consumer. A user itself must be owned by a specific domain .

D- Groups : are a container representing a collection of users .

E- Projects : represent the base unit of ownership in OpenStack, in that all resources in OpenStack should be owned by a specific project. A project itself must be owned by a specific domain

F- Domains : are a high-level container for projects, users and groups. Each is owned by exactly one domain. Each domain defines a namespace where an API-visible name attribute exists. Keystone provides a default domain .

G- Roles : dictate the level of authorization the end user can obtain. Roles can be granted at either the domain or project level .

H- Token : Token service validates and manages tokens used for authenticating requests once a user’s credentials have already been verified.

J- Catalog : provides an endpoint registry used for endpoint discovery.

4- Keystone Role in Vm Creation :

A- The identity service (Keystone) authenticate the user with the user credentials and then generates and send back an auth-token, that auth-token which will be used for sending the request to other components through REST-Call .

B- Keystone verifies the user has the correct permissions for the request based on its own policies

C- Keystone replies with the temporary token and the list of tenants the user has access to .

D- Glance-api validates the auth-token with keystone and after that nova-compute gets the image metadata .

E- cinder-api validates the auth-token with keystone and then nova-compute gets the block storage information .

Discussion (0)