Skip to main content

Keystone

Keystone is the OpenStack Identity service that provides authentication, authorization, and service discovery for OpenStack-based clouds (identity and access management).

  • Centralized authentication for users and services (identity and access management).
  • Token issuance and validation for Application Programming Interface (API) access control (access control).
  • Role-Based Access Control (RBAC) to OpenStack resources (authorization and policy management).
  • Service catalog for endpoint discovery of OpenStack services (service discovery and service registry).
  • Integration with external identity providers via pluggable back ends (federated identity and directory integration).

More About Keystone

Keystone is the Identity service for OpenStack, responsible for providing authentication, authorization, and service discovery for OpenStack cloud deployments (identity and access management). It addresses the need for a central service that issues and validates credentials, manages user and project information, and exposes a consistent API for identity-related operations across distributed OpenStack components.

The service offers several core capabilities. It authenticates users and services using multiple credential types, including passwords, tokens, and, depending on configuration, external identity assertions (authentication). It issues scoped tokens that represent authenticated identity and associated authorization context, and validates those tokens when other OpenStack services receive API requests (access control). Keystone also manages role assignments over projects and domains, enabling RBAC to govern what operations a user or service account can perform (authorization and policy management). In addition, it exposes a service catalog that lists available OpenStack services and their API endpoints, allowing clients to discover where to send requests (service discovery and service registry).

Keystone is designed with a modular back-end architecture. Identity information, such as users, groups, and domains, can be stored in different back ends, including Structured Query Language (SQL) databases or directory services, depending on deployment configuration (directory integration). The assignment back end stores role grants and project or domain relationships, while separate catalog and policy back ends manage service endpoint definitions and access policies. Keystone also supports federation, allowing integration with external identity providers using standard web-based protocols and assertions, so that users authenticated elsewhere can obtain tokens for OpenStack services (federated identity).

In enterprise environments, Keystone operates as the central identity authority for OpenStack clouds, whether private, public, or hybrid. Other OpenStack services, such as compute, block storage, and networking, rely on Keystone to authenticate incoming API requests and to obtain authorization decisions based on roles and projects. Administrators interact with Keystone through its Representational State Transfer (REST) API or via higher-level tools that invoke Keystone APIs to manage users, projects, domains, groups, and role assignments.

From an architectural perspective, Keystone typically runs as a highly available service behind a web server or WSGI container, often fronted by load balancers in production deployments. It uses a relational database or other configured back ends to store persistent data, and it can rely on message queues or caches where operators configure them for scaling and performance. Keystone’s API and token model are part of the OpenStack ecosystem’s core contracts, providing a consistent identity interface across services. In a technical directory, Keystone is categorized as an identity and access management service, with functions in authentication, authorization, token-based access control, service catalog management, and federated identity integration for OpenStack environments.