Configuring Keystone¶
Identity sources¶
One of the most impactful decisions you’ll have to make when configuring keystone is deciding how you want keystone to source your identity data. Keystone supports several different choices that will substantially impact how you’ll configure, deploy, and interact with keystone.
You can also mix-and-match various sources of identity (see Domain-specific Configuration for an example). For example, you can store OpenStack service users and their passwords in SQL, manage customers in LDAP, and authenticate employees via SAML federation.
Summary
| Feature | Status | LDAP | OAuth v1.0a | OpenID Connect | REMOTE_USER | SAML v2 | SQL |
|---|---|---|---|---|---|---|---|
| Local authentication | optional | ✔ |
✔ |
✖ |
✖ |
✖ |
✔ |
| External authentication | optional | ✖ |
✖ |
✔ |
✔ |
✔ |
✖ |
| Identity management | optional | ✔ |
✔ |
✖ |
✖ |
✖ |
✔ |
| PCI-DSS controls | optional | ✔ |
✖ |
✖ |
✔ |
✖ |
✔ |
| Auditing | optional | ✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
Details
- Local authentication
Status: optional.
Notes: Authenticate with keystone by providing credentials directly to keystone.
Driver Support:
- LDAP:
complete - OAuth v1.0a:
complete - OpenID Connect:
missing - REMOTE_USER:
missing - SAML v2:
missing - SQL:
complete
- LDAP:
- External authentication
Status: optional.
Notes: Authenticate with keystone by providing credentials to an external system that keystone trusts (as with federation).
Driver Support:
- LDAP:
missing - OAuth v1.0a:
missing - OpenID Connect:
complete - REMOTE_USER:
complete - SAML v2:
complete - SQL:
missing
- LDAP:
- Identity management
Status: optional.
Notes: Create, update, enable/disable, and delete users via Keystone’s HTTP API.
Driver Support:
- LDAP:
partial - OAuth v1.0a:
complete - OpenID Connect:
missing - REMOTE_USER:
missing - SAML v2:
missing - SQL:
complete
- LDAP:
- PCI-DSS controls
Status: optional.
Notes: Configure keystone to enforce PCI-DSS compliant security controls.
Driver Support:
- LDAP:
partial - OAuth v1.0a:
missing - OpenID Connect:
missing - REMOTE_USER:
partial - SAML v2:
missing - SQL:
complete
- LDAP:
- Auditing
Status: optional.
Notes: Audit authentication flows using PyCADF.
Driver Support:
- LDAP:
complete - OAuth v1.0a:
missing - OpenID Connect:
complete - REMOTE_USER:
missing - SAML v2:
complete - SQL:
complete
- LDAP:
Notes:
- This document is a continuous work in progress
