Keystone is an OpenStack identity service that manages user databases and OpenStack service catalogs and their API endpoints. It integrates with existing backend directory services like LDAP and supports multiple authentication mechanisms, such as username-and-password, token-based systems and AWS-style logins.
Users are digital representations of a person, system, or service that uses OpenStack cloud services. Keystone ensures that incoming requests are coming from a valid login user that can be assigned resource-access tokens. Users are assigned to a particular tenant with specific role.
A tenant is a group used to isolate resources and/or users. Groups can be mapped to customers, projects or organizations.
A role includes a set of assigned user rights and privileges for performing a specific set of operations. A user token issued by Keystone includes a list of that user’s roles. Services then determine how to interpret those roles.
Credentials are data known only by a specific user who proves his or her identity. Examples include username and password, username and API key, or an authentication token.
Authentication is the act of confirming a user’s identity by validating a set of user-supplied credentials. Those credentials are initially a username and password or a username and API key. In response to the credentials, the identity service issues an authentication token that the user must provides for subsequent requests.
A token is an arbitrary bit of text used to access resources. Each token has a scope describing accessible resources. A token may be revoked at any time and is valid for a finite duration.
An OpenStack service, such as Compute (Nova), Object Storage (Swift), or Image Service (Glance), provides one or more endpoints through which users can access resources and perform operations.
An endpoint is a network-accessible address, usually described by URL, from which services are accessed.
Keystone Identity Service flow
a. Install Keystone services and client packages.
<i>#apt-get install keystone python-keystone python-keystoneclient</i>
b. Create a MySQL database and a Keystone user for Keystone for storing information.
<i>> create database keystone;</i>
<i>> grant all privileges on keystone.* to keystoneUser@localhost identified by ‘StrongPass’;</i>
<i>> grant all privileges on keystone.* to keystoneUser@'%' identified by ‘StrongPass’;</i>
c. Edit the database section of the Keystone configuration file and change the database type to mysql, database user, password, database host and database name.
Change the Keystone authentication admin token to a complex one.
admin_token = b565fbeb4e
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystoneUser:KEYSTONE_DBPASS@127.0.0.1/keystone
d. Now create a Keystone database schema using the following command:
e. Finally, restart Keystone service.
<i>#service keystone restart</i>
Keystone is now successfully installed.
Watch out for the next post in this tutorial series on how to setup and install Glance - OpenStack Image Service