Keystone, the heart of OpenStack's Identity

Authentication, Authorization is the starting point of API call. IAM in AWS, GCP, or Azure is core component for Authentication and Authorization. In the OpenStack, keystone works as IAM.

I want to understand how keystone works?

The basic concept of Authentication, Authorization in the micro service architecture is 1) there is a central identity which publishs token, 2) all other micro services validate token(authentication) and check permission (authorization)

Keystone v2 and v3

Keystone v3 supports Domain and Project

Token Types

• Fernet and JWS has no databased backed

UUID

[token]
provider = keystone.token.providers.uuid.Provider

FERNET (Cryptographic Authentication Method)

[token]
provider = keystone.token.providers.fernet.Provider
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
max_active_keys = <number of keys> # defaults is 3

JWS (JSON Web Signature)

a type of JWT (JSON Web Token)

[token]
provider = jws
[jwt_tokens]
jws_public_key_repository = /etc/keystone/jws-keys/public
jws_private_key_repository = /etc/keystone/jws-keys/private

Token Scope

Reference

• Integrating Keystone with large-scale centralized authentication

• How OpenStack's Keystone handles authentication and authorization

https://www.redhat.com/sysadmin/keystone-identity-openstack

• Deep Dive into Keystone Tokens and Lessons Learned

https://www.slideshare.net/slideshow/deep-dive-into-keystone-tokens-and-lessons-learned/54414862

• Keystone JWS Tokens Past, Present, and Future

• A Complete Guide to OpenID Connect in OpenStack