Keystone is the OpenStack identity service that provides user, project and service catalog management. It implements the OpenStack Identity API. Keystone has four internal services - Identity, Token, Catalog and Policy. It uses a pluggable backend architecture that allows different storage backends. Keystone provides authentication for users and services in OpenStack and maps users to their authorized projects and roles.

1. OPENSTACK KEYSTONE IDENTITY SERVICE
Kavit Munshi, CTO, Aptira

2. WHAT IS KEYSTONE?
Keystone is an OpenStack project that provides Identity, Token, Catalog and
Policy services for use specifically by projects in the OpenStack family. It
implements OpenStack’s Identity API.
The Identity services has two primary functions:
- User management: keep track of users and what they are permitted to do
- Service catalog: Provide a catalog of what services are available and where
their API endpoints are located

3. KEYSTONE ARCHITECTURE
Keystone is organized as a group of internal services exposed on one or many
endpoints.
1) Identity: The Identity service provides auth credential validation and data
about Users, Tenants and Roles, as well as any associated metadata.
2) Token: The Token service validates and manages Tokens used for
authenticating requests once a user/tenant’s credentials have already been
verified.
3) Catalog: The Catalog service provides an endpoint registry used for endpoint
discovery.
4) Policy: The Policy service provides a rule-based authorization engine

4. KEYSTONE ARCHITECTURE
Each of the services can configured to use a backend to allow Keystone to fit a
variety of environments and needs. The backend for each service is defined in
the keystone.conf file
1) KVS Backend: A simple backend interface meant to be further backended
on anything that can support primary key lookups
2) SQL Backend: A SQL based backend using SQLAlchemy to store data
persistently.
3) PAM Backend: Extra simple backend that uses the current system’s PAM
service to authenticate, providing a one-to-one relationship between Users
and Tenants.
4) LDAP Backend: The LDAP backend stored Users and Tenents in separate
Subtrees.
5) Templated Backend: A simple Template used to configure Keystone

5. KEYSTONE ARCHITECTURE
Keystone Architecture Logical Diagram

6. KEYSTONE ARCHITECTURE

7. KEYSTONE FLOWCHART

8. KEYSTONE USER MANAGEMENT
The three main concepts of Identity user management are:
1) Users: A user represents a human user, and has associated information such as
username, password and email.
2) Tenants: A tenant can be thought of as a project, group, or organization.
Whenever you make requests to OpenStack services, you must specify a tenant.
3) Roles: A role captures what operations a user is permitted to perform in a given
tenant.

9. KEYSTONE SERVICE MANAGEMENT
Keystone also acts as a service catalog to let other OpenStack systems know
where relevant API endpoints exist for OpenStack Services. The two main
concepts of Identity service management are:
- Services
- Endpoints
The Identity service also maintains a user that corresponds to each service (e.g.,
a user named nova, for the Compute service) and a special service tenant, which
is called service.

10. INSTALLING AND SETTING UP KEYSTONE
Keystone can be either be installed from the source or platform specific packages
available with various distributions. For the purposes of this presentation we will use
Ubuntu 12.04 with platform specific packages available in the repositories.
- sudo apt-get install keystone
- sudo apt-get install python-mysqldb mysql-server (install mysqldb to replace the
default SQL lite DB)
- mysql> CREATE DATABASE keystone; (Create mysql database for the keystone to
use)
- mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY
'[YOUR_KEYSTONE_PASSWORD]'; (Create mysql user to access the keystone DB)
- Change connection line in /etc/keystone.conf
connection =
mysql://keystone:[YOUR_KEYSTONE_PASSWORD]@[YOUR_KEYSTONE_SERVER]/key
stone
- admin_token = 012345SECRET99TOKEN012345 (Set service token in keystone.conf)
- service keystone restart (Restart the keystone service to apply the changes
- keystone-manage db_sync (Initialise the new keystone database)

11. KEYSTONE USER MANAGEMENT
1) Create a user called Kavit
keystone user-create --name=kavit --pass=test123 --email=kavit@aptira.com
2) Create a tenant called test
keystone tenant-create --name=test
3) Create a role to use on our system
keystone role-create –name=admin
4) Associate the role and the user with the tenant
keystone user-role-add --user=USERID –role=ROLEID –tenant_id=TENANTID

12. KEYSTONE SERVICE MANAGEMENT
1) Create service tenant. This tenant contains all the services that we make known
to the service catalog.
keystone tenant-create –name=service
2) Create users for each Openstack service in the service catalog
keystone user-create –name=nova –pass=test123 --
email=nova@test.aptira.com
3) Give admin roles to the users nova, glance, etc to the tenant service.
4) Now that we have tenants, users and roles for each of the users, we need to
create the services we wish authenticate users for.
keystone service-create --name nova --type compute --description ’OpenStack
Compute Service’

13. KEYSTONE SERVICE MANAGEMENT
5) Once the services are created, we will need to associate the endpoints or
network addresses where clients might connect to the services offered.
keystone endpoint-create --region myregion --service_id
1e93ee6c70f8468c88a5cb1b106753f3
--publicurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’
--adminurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’
--internalurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’

14. KEYSTONE WORKFLOW

15. IMPORTANT RESOURCES AND LINKS
OpenStack keystone developer documentation
http://docs.openstack.org/developer/keystone/
OpenStack Identity Administration documentation
http://docs.openstack.org/trunk/openstack-compute/install/content/ch_installing-
openstack-identity-service.html
Keystone github
http://github.com/openstack/keystone
Keystone Launchpad site
https://launchpad.net/keystone

16. THE END