Configuring Keystone¶
Identity sources¶
One of the most impactful decisions you’ll have to make when configuring keystone is deciding how you want keystone to source your identity data. Keystone supports several different choices that will substantially impact how you’ll configure, deploy, and interact with keystone.
You can also mix-and-match various sources of identity (see Domain-specific Configuration for an example). For example, you can store OpenStack service users and their passwords in SQL, manage customers in LDAP, and authenticate employees via SAML federation.
Summary
| Feature | Status | REMOTE_USER | LDAP | OAuth v1.0a | OpenID Connect | SAML v2 | SQL |
|---|---|---|---|---|---|---|---|
| Local authentication | optional | ✖ |
✔ |
✔ |
✖ |
✖ |
✔ |
| External authentication | optional | ✔ |
✖ |
✖ |
✔ |
✔ |
✖ |
| Identity management | optional | ✖ |
✔ |
✔ |
✖ |
✖ |
✔ |
| PCI-DSS controls | optional | ✔ |
✔ |
✖ |
✖ |
✖ |
✔ |
| Auditing | optional | ✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
Details
- Local authentication
Status: optional. Authenticate with keystone by providing credentials directly to keystone.
drivers:
- OAuth v1.0a:
complete - SAML v2:
missing - SQL:
complete - REMOTE_USER:
missing - LDAP:
complete - OpenID Connect:
missing
- OAuth v1.0a:
- External authentication
Status: optional. Authenticate with keystone by providing credentials to an external system that keystone trusts (as with federation).
drivers:
- OAuth v1.0a:
missing - SAML v2:
complete - SQL:
missing - REMOTE_USER:
complete - LDAP:
missing - OpenID Connect:
complete
- OAuth v1.0a:
- Identity management
Status: optional. Create, update, enable/disable, and delete users via Keystone’s HTTP API.
drivers:
- OAuth v1.0a:
complete - SAML v2:
missing - SQL:
complete - REMOTE_USER:
missing - LDAP:
partial - OpenID Connect:
missing
- OAuth v1.0a:
- PCI-DSS controls
Status: optional. Configure keystone to enforce PCI-DSS compliant security controls.
drivers:
- OAuth v1.0a:
missing - SAML v2:
missing - SQL:
complete - REMOTE_USER:
partial - LDAP:
partial - OpenID Connect:
missing
- OAuth v1.0a:
- Auditing
Status: optional. Audit authentication flows using PyCADF.
drivers:
- OAuth v1.0a:
missing - SAML v2:
complete - SQL:
complete - REMOTE_USER:
missing - LDAP:
complete - OpenID Connect:
complete
- OAuth v1.0a:
Public ID Generators¶
Keystone supports a customizable public ID generator and it is specified in the
[identity_mapping] section of the configuration file. Keystone provides a
sha256 generator as default, which produces regenerable public IDs. The
generator algorithm for public IDs is a balance between key size (i.e. the
length of the public ID), the probability of collision and, in some
circumstances, the security of the public ID. The maximum length of public ID
supported by keystone is 64 characters, and the default generator (sha256) uses
this full capability. Since the public ID is what is exposed externally by
keystone and potentially stored in external systems, some installations may
wish to make use of other generator algorithms that have a different trade-off
of attributes. A different generator can be installed by configuring the
following property:
generator- identity mapping generator. Defaults tosha256(implemented bykeystone.identity.id_generators.sha256.Generator)
Warning
Changing the generator may cause all existing public IDs to be become invalid, so typically the generator selection should be considered immutable for a given installation.
SSL¶
A secure deployment should have keystone running in a web server (such as Apache httpd), or behind an SSL terminator.
Limiting list return size¶
Keystone provides a method of setting a limit to the number of entities
returned in a collection, which is useful to prevent overly long response times
for list queries that have not specified a sufficiently narrow filter. This
limit can be set globally by setting list_limit in the default section of
keystone.conf, with no limit set by default. Individual driver sections may
override this global value with a specific limit, for example:
[resource]
list_limit = 100
If a response to list_{entity} call has been truncated, then the response
status code will still be 200 (OK), but the truncated attribute in the
collection will be set to true.
Supported clients¶
There are two supported clients, python-keystoneclient project provides python bindings and python-openstackclient provides a command line interface.
Authenticating with a Password via CLI¶
To authenticate with keystone using a password and python-openstackclient,
set the following flags, note that the following user referenced below should
be granted the admin role.
--os-username OS_USERNAME: Name of your user--os-password OS_PASSWORD: Password for your user--os-project-name OS_PROJECT_NAME: Name of your project--os-auth-url OS_AUTH_URL: URL of the keystone authentication server
You can also set these variables in your environment so that they do not need to be passed as arguments each time:
$ export OS_USERNAME=my_username
$ export OS_PASSWORD=my_password
$ export OS_PROJECT_NAME=my_project
$ export OS_AUTH_URL=http://localhost:5000/v3
For example, the commands user list, token issue and project create
can be invoked as follows:
# Using password authentication, with environment variables
$ export OS_USERNAME=admin
$ export OS_PASSWORD=secret
$ export OS_PROJECT_NAME=admin
$ export OS_AUTH_URL=http://localhost:5000/v3
$ openstack user list
$ openstack project create demo
$ openstack token issue
# Using password authentication, with flags
$ openstack --os-username=admin --os-password=secret --os-project-name=admin --os-auth-url=http://localhost:5000/v3 user list
$ openstack --os-username=admin --os-password=secret --os-project-name=admin --os-auth-url=http://localhost:5000/v3 project create demo
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.