Jump to: navigation, search

Difference between revisions of "Keystone"

Line 18: Line 18:
 
== Documentation ==
 
== Documentation ==
 
* [http://docs.openstack.org/api/openstack-identity-service/2.0/content/ Identity API (v2) specification]
 
* [http://docs.openstack.org/api/openstack-identity-service/2.0/content/ Identity API (v2) specification]
 +
* [https://docs.google.com/document/d/1gI_OEc_ZybuKFMGkQwELbkClqoIXsR3Fi8wqH2DvX-I/edit draft4 v3 Identity API]
  
 
== What is Keystone? ==
 
== What is Keystone? ==
Line 83: Line 84:
 
* Folsom
 
* Folsom
 
** [[KeystoneFolsomSummitTopics|Summit Topics]]
 
** [[KeystoneFolsomSummitTopics|Summit Topics]]
 
+
* Grizzly
Originally Scheduled for Essex:
 
 
 
* [[Keystone-Essex-BP-UserStructure|User structure]] ([https://blueprints.launchpad.net/keystone/+spec/essex-keystone-user-structure blueprint])
 
* [[Keystone-Essex-BP-AuthZ|Full AuthZ structure]] ([https://blueprints.launchpad.net/keystone/+spec/essex-keystone-authz-structure blueprint])
 
* [[AuthZ - Explicit Capability Mapping]]
 
* [[AuthZ - Empty Roles]]
 
* [[AuthZ - Restricted Roles]]
 
* [[Keystone-Essex-Scopes|Scopes]]
 
* [http://www.simplecloud.info/ SCIM protocol] (blueprint)
 
* Service endpoint location (https://blueprints.launchpad.net/keystone/+spec/service-endpoint-location)
 
* Federated Auth-Z requirements for Zones - [[FederatedAuthZwithZones]]
 
* The Service (ie: nova) shouldn't really care about the Role of the user. But we should be able to go back to the Auth-Z service to say "Can <token> [execute verb] on <some resource>" and get back a True/False from keystone. Nova itself, for example, shouldn't have to remember what capabilities a role has. But this may be cached.
 
* Identifying full-path URI for Keystone-Token [[Keystone-Essex-Federated-Token|(Keystone-Essex-Federated-Token]])
 
* SQL schema migrations (ie - sqlalchemy-migrate migrations).
 

Revision as of 16:58, 24 September 2012

OpenStack Identity ("Keystone")

Source code
Bug tracker
Blueprints
Developer doc

Related projects

  • Python Keystone client
  • Identity API documentation

Documentation

What is Keystone?

Keystone is the identity service used by OpenStack for authentication (authN) and high-level authorization (authZ). It currently supports token-based authN and user-service authorization. It has recently been rearchitected to allow for expansion to support proxying external services and AuthN/AuthZ mechanisms such as oAuth, SAML and openID in future versions.

Meetings

Doc

Code

Bugs and Blueprints

  • keystone bugs
  • keystone client bugs
  • blueprints
  • bugs tags
    • blueprint (implies bug indicates a needed feature or function, can be migrated to a blueprint)
    • python-keystoneclient (related to the client end of keystone)
    • legacy (existing prior to the feb14, 2012 rebaseline of the code)
    • gsoc (appropriate for a google summer of code project effort)
    • low-hanging-fruit (easy piece for someone to get started with, minimal design needed to solve)
  • importance meanings
    • critical (bug renders the system non-functional)
    • high (bug we want resolved before the next release)
    • medium/low (general issue bug or annoyance, perhaps requiring significant design change to implement or new features needed to resolve)
    • wishlist (nice to have)

Use Cases

Essex Roadmap (as per current discussions in OpenStack Design Summit in Boston - October 2011):

  1. RBAC (with Dashboard and core project integration) <
    >
  2. Reset baseline of code
    • expandability, future development
  3. Stability
    • Performance
    • Deployability
    • Documentation

Topics for Folsom: KeystoneFolsomSummitTopics

Releases