Skip to main content

OpenStack Keystone

OpenStack Keystone is the identity service component of the OpenStack cloud platform that provides authentication, authorization, and service catalog functions for OpenStack deployments (identity and access management).

  • Centralized user and service authentication for OpenStack APIs (identity and access management)
  • Token issuance and validation for OpenStack services (authentication and session management)
  • Role-Based Access Control (RBAC) across projects and domains (authorization and policy enforcement)
  • Service catalog listing available OpenStack services and their endpoints (service discovery and routing)
  • Integration with external identity providers such as LDAP and federated identity systems (identity federation and directory integration)

More About OpenStack Keystone

OpenStack Keystone is the identity service within the OpenStack ecosystem, designed to provide a common authentication and authorization layer for users, services, and applications interacting with an OpenStack cloud (identity and access management). It addresses the need for a unified security and identity control plane in multi-tenant infrastructure, where multiple OpenStack services expose APIs and require consistent credential, token, and policy handling.

At its core, Keystone manages user and group identities, credentials, and role assignments across projects and domains (directory and access control). It issues tokens that clients use to authenticate when calling OpenStack services such as compute, networking, and storage (API security). Keystone supports multiple token formats depending on deployment requirements, and exposes RESTful APIs for authentication, authorization, and catalog queries (web and cloud APIs).

Keystone implements RBAC through a policy framework that associates roles with users or groups in the context of projects or domains (authorization and policy management). Policies are typically expressed as JSON-based rules that OpenStack services consult to decide whether a given token and role set is permitted to perform an operation. This provides centralized, configurable access controls that can be aligned with organizational security models.

Another core function of Keystone is the service catalog (service discovery). The catalog maps logical service types to one or more endpoint URLs, often with region and interface distinctions, so that clients and other services can discover where to send Application Programming Interface (API) requests. When a client authenticates, Keystone can return a token along with the catalog, enabling the client to locate all available OpenStack services in the deployment.

For enterprise environments, Keystone supports integration with external identity backends such as LDAP directories and various federated identity protocols through pluggable drivers and federation features (enterprise directory integration and Single Sign-On (SSO)). This allows organizations to use existing identity stores for user authentication and to map external identities and groups to Keystone roles and projects. Keystone’s multi-domain model enables separation of identity and resource ownership boundaries across business units or tenants.

Operationally, Keystone is deployed as a network-accessible API service, often behind load balancers and with database and cache backends for persistence and performance (infrastructure service component). It interacts closely with all other OpenStack core services, which rely on Keystone for token validation, policy checks, and endpoint discovery. In a technical taxonomy, OpenStack Keystone fits in the identity and access management category for cloud infrastructure platforms and acts as the central authentication and authorization broker in OpenStack-based private or public clouds.