OpenStack Keystone Identity Service

Keystone is the identity service for OpenStack. Every API call to every OpenStack service passes through Keystone for authentication and authorization. It is the first service deployed and the last decommissioned. If Keystone is down, the entire cloud is down.

Keystone provides five core functions: identity (users, groups), resources (projects, domains), assignment (roles mapped to users on projects), token (authentication proof with configurable lifetime), and catalog (service endpoint registry). Understanding Keystone means understanding how every OpenStack service discovers and trusts every other service.

Deploy

Kolla-Ansible Configuration

globals.yml settings:

# Required -- set strong passwords
keystone_admin_password: "{{ vault_keystone_admin_password }}"
keystone_database_password: "{{ vault_keystone_database_password }}"