Skip to main content

How OpenStack's Keystone handles authentication and authorization

Take a deep dive into the Keystone Identity service and how it interacts with other services by creating a virtual machine.

OpenStack's Identity service, Keystone, verifies the user's identity and provides information about which resources the user has access to.

The Keystone project provides authentication, authorization, and other services such as delivering the service catalog, as this diagram shows:

Image
basic Keystone service interaction diagram
(Amy Marrich, CC BY-SA 4.0)

It is important to note that the Identity service also provides the authorization for a user between services. For example, does the user have the authority to access a particular image in Glance for Nova and create a virtual machine (VM) from it?

Due to its critical role in authentication, authorization, and managing the catalog of services and their endpoints, the Identity service is the first service installed during an OpenStack deployment.

How the Identity service authenticates

Whether you're using OpenStack's Horizon dashboard or the command-line interface (CLI), requests to the Identity service are made via an API call. In the following diagram, it seems like a fairly easy process with a single call being made and with a single answer received:

Image
basic Authentication overview diagram
(Amy Marrich, CC BY-SA 4.0)

The Identity service's role in launching a VM

Now let's dive deeper into the steps for a user to launch a VM.

[ Learn more OpenStack usage tips by building a lab in five minutes with three simple commands. ]

The following diagram shows that the initial API call authenticates the user's credentials, creates a temporary token for the user, and creates a generic catalog.

Image
basic Initial step to launch a VM
(Amy Marrich, CC BY-SA 4.0)

In the next step, the Identity service replies with the temporary token and the list of tenants the user has access to.

Image
basic User request to launch diagram
(Amy Marrich, CC BY-SA 4.0)

The user then selects the tenant from the provided list and receives a list of services they are authorized to access in that tenant and a token for that tenant. The user then connects to the correct endpoint based on the selected service and sends the token.

Image
basic Response to user from Keystone
(Amy Marrich, CC BY-SA 4.0)

The Identity service then verifies that the token is correct and also that the user has permission to access the requested service (compute, in this case), as well as any other services the compute services might need to access to complete the request.

Image
basic User request to launch
(Amy Marrich, CC BY-SA 4.0)

The Identity service then authorizes the user for the tenant, verifies the token is correct for the request, and confirms the user. The service also verifies the user has the correct permissions for the request based on its own policies.

Image
Keystone provides additional info
(Amy Marrich, CC BY-SA 4.0)

With the user authorized and their permissions verified, the other services involved create the new VM.

Image
Service executes request
(Amy Marrich, CC BY-SA 4.0)

Finally, the compute service informs the user the VM is created and how to connect to it.

Image
Service reports back to the user
(Amy Marrich, CC BY-SA 4.0)

Wrap up

Walking through the process of creating a VM demonstrates where the Identity service fits in with the other services. The authentication and authorization processes Keystone provides make it clear why this service is installed before any of the others when deploying OpenStack.

[ Download now: A system administrator's guide to IT automation.]

Check out these related articles on Enable Sysadmin

Topics:   OpenStack   Authentication   Authorization   Identity  
Author’s photo

Amy Marrich

Amy Marrich is a Principal Technical Marketing Manager at Red Hat. More about me

On Demand: Red Hat Summit 2021 Virtual Experience

Relive our April event with demos, keynotes, and technical sessions from
experts, all available on demand.

Related Content

OUR BEST CONTENT, DELIVERED TO YOUR INBOX