OpenStack Keystone
Generated by GPT-5-miniExpansion Funnel Raw 71 → Dedup 0 → NER 0 → Enqueued 0
| OpenStack Keystone | |
|---|---|
| Name | Keystone |
| Developer | OpenStack Foundation |
| Released | 2010 |
| Programming language | Python (programming language) |
| Operating system | Linux |
| License | Apache License |
OpenStack Keystone
OpenStack Keystone is the identity, token, catalog, and policy service for the OpenStack cloud computing platform. It provides centralized authentication and authorization services used by projects such as Nova (OpenStack), Glance (OpenStack), Cinder (OpenStack), and Neutron (OpenStack). Keystone integrates with external services and standards including LDAP, SAML 2.0, and OAuth 2.0 to support enterprise and research cloud deployments.
Overview
Keystone was introduced as part of the early OpenStack project set alongside Nova (OpenStack), Swift (OpenStack), and Horizon (OpenStack). It functions as the canonical identity provider within OpenStack clouds operated by organizations such as the OpenStack Foundation's ecosystem members and cloud vendors like Red Hat, Canonical (company), SUSE, and Mirantis. Keystone supports multi-tenant and federated scenarios used by providers including Rackspace, HP (company), and research clouds associated with institutions like NASA and CERN. Its feature set evolved through community collaboration at events such as the OpenStack Summit and contributions from companies like IBM and Intel.
Architecture and Components
Keystone's architecture separates concerns into services and backends to provide modularity. Core components include the Identity API, Token Service, Catalog, and Policy Engine; these interact with storage backends like SQL databases (commonly MySQL or MariaDB) and directory services such as Microsoft Active Directory via LDAP. Keystone runs as a WSGI application leveraging the Python (programming language) ecosystem and web servers like Apache HTTP Server and Nginx. It exposes endpoints consumed by compute, image, block storage, and networking services including Nova (OpenStack), Glance (OpenStack), Cinder (OpenStack), and Neutron (OpenStack). Plugins and drivers enable federation with identity providers using standards like SAML 2.0, OpenID Connect, and OAuth 2.0.
Authentication and Authorization
Keystone supports password, token, and federated authentication models. It issues tokens—historically both UUID and JSON Web Token styles—that clients present to services such as Heat (OpenStack) and Ceilometer for authorization. Role-based access control (RBAC) is implemented through roles assigned to users and groups within projects or domains; these roles are enforced by service policies configured in files used by policykit-style engines. Federation enables trust between identity providers such as Shibboleth or enterprise Active Directory domains using standards like SAML 2.0 and OpenID Connect. Keystone integrates with external authentication systems including Kerberos and LDAP for single sign-on experiences used by enterprise deployments from vendors like Red Hat and Canonical (company).
API and Integration
Keystone exposes RESTful APIs following OpenStack API conventions consumed by SDKs and CLIs including the official python-openstackclient and vendor tools from Ansible (software), Puppet, and Chef (software). The service registry (service catalog) returns endpoints for projects and regions to clients such as Horizon (OpenStack), OpenStack CLI, and third-party orchestration tools like Terraform (software). Integration points include middleware for authentication in WSGI pipelines and plugins for federated identity using SAML 2.0 or OpenID Connect. Keystone also interoperates with monitoring and telemetry projects such as Prometheus (software), Zabbix, and Nagios through service users and scoped tokens.
Deployment and Configuration
Deployment patterns range from small proof-of-concept installations using DevStack to large scale production clouds orchestrated with Kolla (OpenStack), TripleO, OpenStack-Ansible, or vendor distributions from Red Hat and SUSE. Configuration typically involves setting up the identity backend (SQL or LDAP), token drivers, and service catalog entries. High-availability deployments use clustered databases like Galera Cluster and load balancers such as HAProxy or F5 Networks appliances, while containerized deployments rely on Docker (software) and orchestration via Kubernetes. Management and automation tooling from projects like Ansible (software), Puppet, and Chef (software) are commonly used for reproducible Keystone configuration.
Security and Compliance
Keystone plays a central role in cloud security by controlling authentication, authorization, and service discovery for systems operated by organizations like NASA, European Space Agency, and enterprise customers. Security best practices include enforcing TLS with certificates from authorities such as Let's Encrypt, using strong token lifetimes, rotating credentials, integrating with LDAP and Kerberos for enterprise identity, and enabling multi-factor authentication (MFA) through providers that support TOTP or OAuth 2.0 flows. Compliance in regulated environments often maps Keystone roles and audit logs to standards such as ISO/IEC 27001, SOC 2, and HIPAA requirements through logging and integration with SIEMs like Splunk.
Development and Community
Keystone is developed collaboratively in the OpenStack community with contributors from companies including Red Hat, IBM, Intel, Mirantis, Canonical (company), and independent developers. Governance and releases follow the OpenStack release cycle with contributions reviewed via Gerrit and coordinated at events such as the OpenStack Summit and OpenInfra Summit. Documentation, SDKs, and client libraries are maintained alongside projects like python-openstackclient and Shade (software), while interoperability efforts involve the OpenStack Foundation and ecosystem testing programs such as the OpenStack Interoperability Challenge.