Keystone, the OpenStack Identity Service¶
Keystone is an OpenStack service that provides API client authentication, service discovery, and distributed multi-tenant authorization by implementing OpenStack’s Identity API.
This documentation is primarily targeted towards contributors of the project, and assumes that you are already familiar with Keystone from an end-user perspective; however, end users, deployers, and operators will also find it useful.
This documentation is generated by the Sphinx toolkit and lives in the source tree. Also see the Getting Involved page for other ways to interact with the community.
Getting Started¶
Configuration¶
- Configuring Keystone
- Config Files
- Bootstrapping Keystone with
keystone-manage bootstrap - Bootstrapping Keystone with
ADMIN_TOKEN - Setting up other OpenStack Services
- Identity sources
- Authentication Plugins
- Token Drivers and Providers
- Encryption Keys for Fernet Tokens
- Caching Layer
- Certificates for PKI
- Service Catalog
- Endpoint Filtering
- Endpoint Policy
- Logging
- SSL
- OAuth1 1.0a
- Revocation Events
- Token Binding
- Limiting list return size
- URL safe naming of projects and domains
- Health Check middleware
- API protection with Role Based Access Control (RBAC)
- Preparing your deployment
keystone-manage- Removing Expired Tokens
- Supported clients
- Using an LDAP server
- Credential Encryption
Advanced Topics¶
Developers Documentation¶
- Best Practices
- Setting up Keystone
- Configuring Keystone
- Running Keystone
- Initializing Keystone
- Interacting with Keystone
- Building the Documentation
- Generating a new Sample Config File
- Release Notes
- Testing Keystone
- Developing
doctorchecks - Database Migrations
- Filtering responsibilities between controllers and drivers
- Entity list truncation by drivers
- Identity entity ID management between controllers and drivers
- Translated responses
- Caching Layer