Difference between revisions of "Keystone"
| Line 18: | Line 18: | ||
** [https://github.com/openstack/keystone/blob/master/keystone/content/service/RAX-KSGRP-service-devguide.pdf Extensions](calls that are specific to the implementation; ie: enabling company "ACME" user, role, and group structure) | ** [https://github.com/openstack/keystone/blob/master/keystone/content/service/RAX-KSGRP-service-devguide.pdf Extensions](calls that are specific to the implementation; ie: enabling company "ACME" user, role, and group structure) | ||
* Essex (Keystone is part of [[OpenStack]] core for Essex) | * Essex (Keystone is part of [[OpenStack]] core for Essex) | ||
| − | ** Call for blueprints ( | + | ** Call for blueprints (feature freeze by '''start '''of e-2; code freeze by start of e-4: [[EssexReleaseSchedule|http://wiki.openstack.org/EssexReleaseSchedule]]) |
*** [[Keystone-Essex-BP-UserStructure|User structure]] ([https://blueprints.launchpad.net/keystone/+spec/essex-keystone-user-structure blueprint]) | *** [[Keystone-Essex-BP-UserStructure|User structure]] ([https://blueprints.launchpad.net/keystone/+spec/essex-keystone-user-structure blueprint]) | ||
*** [[Keystone-Essex-BP-AuthZ|Full AuthZ structure]] ([https://blueprints.launchpad.net/keystone/+spec/essex-keystone-authz-structure blueprint]) | *** [[Keystone-Essex-BP-AuthZ|Full AuthZ structure]] ([https://blueprints.launchpad.net/keystone/+spec/essex-keystone-authz-structure blueprint]) | ||
Revision as of 20:39, 27 September 2011
What is Keystone?
Keystone is the identity service used by OpenStack for authentication (authN) and high-level authorization (authZ). It currently supports token-based authN and user-service authorization. It is scalable to include oAuth, SAML and openID in future versions. Out of the box, Keystone uses a SQLite DB as an identity store with the option to connect to external LDAP.
Doc
Code
Releases
- Diablo
- Core functionality (calls shared by all implementations)
- Extensions(calls that are specific to the implementation; ie: enabling company "ACME" user, role, and group structure)
- Essex (Keystone is part of OpenStack core for Essex)
- Call for blueprints (feature freeze by start of e-2; code freeze by start of e-4: http://wiki.openstack.org/EssexReleaseSchedule)
- Scopes
- SCIM protocol (blueprint)
- Service endpoint location (https://blueprints.launchpad.net/keystone/+spec/service-endpoint-location)
- Federated Auth-Z requirements for Zones - FederatedAuthZwithZones
- The Service (ie: nova) shouldn't really care about the Role of the user. But we should be able to go back to the Auth-Z service to say "Can <token> [execute verb] on <some resource>" and get back a True/False from keystone. Nova itself, for example, shouldn't have to remember what capabilities a role has. But this may be cached.
- Identifying full-path URI for Keystone-Token (Keystone-Essex-Federated-Token)
- SQL schema migrations (ie - sqlalchemy-migrate migrations).
