Keystone

What is Keystone in cloud hosting?

Keystone is the identity service for OpenStack. It manages authentication (verifying who you are) and authorization (determining what you are allowed to do) for all users, services, and API requests across an OpenStack cloud environment.

Every time you log into an OpenStack dashboard, run a CLI command, or make an API call, Keystone validates your credentials and issues a token. That token proves your identity and specifies which projects (isolated resource containers) you can access and what actions you can perform within them.

Related Terms

• Project: An isolated container within OpenStack that groups resources such as instances, volumes, and networks under a single administrative boundary with its own quotas and access controls.
• Instance: A virtual machine running on OpenStack compute infrastructure, such as a web server or database server that requires Keystone authentication to be created or managed.
• Horizon Dashboard: The web-based graphical interface for OpenStack that relies on Keystone to authenticate users before granting access to cloud management features.
• Nova: The OpenStack compute service that creates and manages instances, such as virtual machines and bare-metal servers, and requires Keystone tokens to authorize all API requests.
• Neutron: The OpenStack networking service that manages virtual networks, routers, and floating IPs, and depends on Keystone for authenticating network configuration requests.

Why Keystone Exists

Without a centralized identity service, each OpenStack component would need its own user database and authentication logic. This would create several problems:

• Users would need separate credentials for compute, storage, networking, and every other service.
• There would be no consistent way to define who can access which resources.
• Services could not securely communicate with each other without hardcoded credentials scattered across configuration files.
• Auditing user activity across the cloud would be nearly impossible.

Keystone solves these problems by acting as the single source of truth for identity. All OpenStack services trust Keystone to verify users and authorize actions, which creates a unified and auditable security model.

What Does Keystone Actually Do?

• Issues authentication tokens: When you provide valid credentials, Keystone generates a time-limited token that you include with subsequent API requests to prove your identity.
• Manages users and groups: Keystone stores user accounts, assigns them to groups, and can integrate with external identity providers such as LDAP or Active Directory.
• Defines projects and domains: Keystone organizes resources into projects (also called tenants) and can group projects into domains for multi-tenant or multi-organization deployments.
• Assigns roles: Keystone maps users to roles within projects, determining whether someone can create instances, view billing data, or administer the entire cloud.
• Maintains the service catalog: Keystone keeps a registry of all available OpenStack services and their API endpoints, so clients know where to send requests for compute, storage, networking, and other functions.
• Enforces policy: Combined with policy files, Keystone determines whether a user with a specific role can perform a particular action on a given resource.

When Would I Use Keystone?

Keystone is always running if you are using OpenStack. You interact with it any time you:

• Log into the Horizon dashboard to manage your cloud resources.
• Run OpenStack CLI commands such as openstack server list or openstack volume create.
• Make direct API calls to any OpenStack service.
• Configure a new user account or project for a team member.
• Set up an application that needs programmatic access to your cloud infrastructure.

If your organization uses an external directory service, you would configure Keystone to federate authentication with that provider rather than maintaining duplicate user accounts.

When Would I NOT Use Keystone?

Keystone is required for OpenStack deployments. You cannot disable or bypass it while running OpenStack services.

However, there are scenarios where you would limit your direct interaction with Keystone:

• If you use a managed OpenStack platform where user and project management is handled by a web portal, you may never interact with Keystone directly.
• For simple personal projects, you might use a single project and user, making advanced Keystone features like domain hierarchy unnecessary.
• If your organization has very basic access needs, you may not need to configure role-based access control beyond the default roles.

Real-World Example

Company A runs an e-commerce platform on an OpenStack private cloud. The development team needs access to create and destroy test instances frequently. The production team needs read access to monitor systems but should not be able to delete anything. The finance team needs to view usage reports but has no need to access compute resources at all.

The cloud administrator configures Keystone as follows:

• Creates three projects: Development, Production, and Finance.
• Creates user accounts and assigns them to appropriate projects.
• Assigns the "member" role to developers in the Development project, allowing them to manage instances.
• Assigns a custom "observer" role to production staff, granting read-only access.
• Assigns the "reader" role to finance staff in all projects, allowing them to view billing and usage data.

When a developer logs into Horizon, Keystone authenticates their credentials and returns a token scoped to the Development project with member privileges. The developer can then create instances within Development but cannot see or modify resources in Production.

Frequently Asked Questions

What happens if Keystone goes down?

All OpenStack services depend on Keystone for authentication. If Keystone becomes unavailable, users cannot log in, CLI commands fail, and services cannot validate existing tokens. Running Keystone in a highly available configuration with multiple nodes prevents this single point of failure.

Can I use my existing corporate directory with Keystone?

Yes. Keystone supports federation with external identity providers including LDAP, Active Directory, and SAML-based systems. This allows users to authenticate with their existing corporate credentials instead of maintaining separate OpenStack passwords.

What is the difference between a domain and a project in Keystone?

A domain is a top-level container that groups projects and users for administrative purposes. A project is a resource container within a domain where instances, volumes, and networks are created. Large organizations use domains to separate business units, with each domain containing multiple projects.

How long do Keystone tokens last?

Token expiration is configurable. The default is typically one hour. After a token expires, users must re-authenticate to get a new one. Shorter token lifetimes improve security but require more frequent authentication.

What roles does Keystone provide by default?

Keystone includes default roles such as "admin", "member", and "reader". Cloud administrators can create custom roles and define policies that specify exactly which API actions each role can perform. The specific permissions depend on the policy files configured for each OpenStack service.

Summary

• Keystone is the OpenStack identity service responsible for authentication, authorization, and service discovery.
• It issues tokens that prove user identity and authorize access to specific projects and resources.
• All OpenStack services rely on Keystone to validate API requests and enforce access policies.
• Keystone manages users, groups, projects, domains, and roles in a centralized location.
• It maintains a service catalog so clients know where to find each OpenStack service endpoint.