OpenStack's Keystone.

  1. Identity - represent user, can be store internally and they suggest that in production enterprise environment use an external identity provider. It is advice to use LDAP or AD because of weak password support (no password rotation & no password recovery).
  2. Authentication - process of validating a user's identity (aka login process). They also suggest that in production enterprise environment use LDAP or AD. It will generate a bearer token with expiry and is developer's responsibility to protect this token.
  3. Authorization - determine what resources can be access with the token. It maps user's role to domain(s) or project(s). There is a policy engine to evaluate information pertaining to user & role to allow or reject users actions.
  4. Projects - is an abstraction used by OpenStack services to group & isolate resources. It is not own by users but use a concept called Role Assignment where users/groups given access to the project (aka grant).
  5. Domain - is an abstraction to isolate visibility. Each organization can only see their assigned users, groups and projects (aka multi-tenancy).
  6. Users & User Groups - are entities given access to resources. Groups are a collection of users. Actors comprises of users & groups.
  7. Roles - authorized to do something e.g. admin role is assigned to john and assigned on the project A.
  8. Assignment - as in role assignment (grant or revoke) is a combination of an actor, a target and a role.
  9. Target - a role is assigned on a target --> often refers to Projects or Domains.
  10. Token - is a data structure and for Keystone it is in JSON format. It contains required information such as issue date, expiry, ids and any information required to authorize access.
  11. Catalog - also in JSON format, contains URLs & end-points. It allow apps to access resources.
  12. Multiple Identity Providers - available since Juno release.
  13. External Identity Providers - use Federated Authentication. Backends software (LDAP, AD) or Social Login (Google, Facebook, Twitter). Supported protocol are SAML & OpenID Connect. Get extension from Github for OAuth2 support.