1- Keystone :
Keystone is the identity service in openstack , verifies the user’s identity and provides information about which resources the user has access to.The Keystone project provides authentication, authorization , Provides authentication for other services as we found in last article like authentication for : Nova-Compute , Swift Object Storage , Neutron Networking , Glance Image , Cinder Block Storage and Horizon Dashboard .
2- Keystone Identity Flow :
Requests to the Identity service are made via an API call , Keystone Provides service catalog “Service API URL” which means any service will be added on openstack should be registered on keystone . Keystone saves info of roles , groups , users and these info could be from external identity like LDAP .Keystone also includes WSGI middelware to provide authentication support for Nova and Swift. Keystone has DB .
A- User send credentials to the keystone .
B- User gets token from Keystone .
C- User send request + token to openstack services .
D- Keystone check the tokens with openstack services .
E- User recieves response from openstack service .
3- Keystone Architecture Concepts :
A- Services : Keystone is organized as a group of internal services exposed on one or many endpoints .
B- Identity : The Identity service provides auth credential validation and data about users and groups .
C- Users : represent an individual API consumer. A user itself must be owned by a specific domain .
D- Groups : are a container representing a collection of users .
E- Projects : represent the base unit of ownership in OpenStack, in that all resources in OpenStack should be owned by a specific project. A project itself must be owned by a specific domain
F- Domains : are a high-level container for projects, users and groups. Each is owned by exactly one domain. Each domain defines a namespace where an API-visible name attribute exists. Keystone provides a default domain .
G- Roles : dictate the level of authorization the end user can obtain. Roles can be granted at either the domain or project level .
H- Token : Token service validates and manages tokens used for authenticating requests once a user’s credentials have already been verified.
J- Catalog : provides an endpoint registry used for endpoint discovery.
4- Keystone Role in Vm Creation :
A- The identity service (Keystone) authenticate the user with the user credentials and then generates and send back an auth-token, that auth-token which will be used for sending the request to other components through REST-Call .
B- Keystone verifies the user has the correct permissions for the request based on its own policies
C- Keystone replies with the temporary token and the list of tenants the user has access to .
D- Glance-api validates the auth-token with keystone and after that nova-compute gets the image metadata .
E- cinder-api validates the auth-token with keystone and then nova-compute gets the block storage information .