Keystone's identity service pivots around a structured set of entities: projects (tenants), domains, users, groups, roles, and service endpoints. These foundational building blocks are intertwined through hierarchical and relational models that empower robust cloud governance, fine-grained access control, and scalable multi-tenancy. This section delves into their definitions, relationships, CRUD operations, and their collective influence on policy enforcement.
-
Projects (Tenants): A project, historically known as a tenant, functions as a container for resources and acts as a fundamental scope for access control within Keystone. Each project represents an isolated domain of resource ownership-encompassing compute instances, storage volumes, and networking objects. Projects are critical for multi-tenancy, segregating users and resources across organizational or departmental boundaries.
Projects exist within domains, forming a two-level hierarchy: domains contain projects, and projects contain resources. This hierarchy facilitates scalable administration: domains represent administrative boundaries, while projects align with usage or operational groups. Each project has a unique identifier and associated metadata.
CRUD operations for projects include creation, updating attributes (name, description, enabled status), querying project lists by user membership or attributes, and deletion. When a project is deleted, associated resource access is revoked, highlighting the importance of cautious lifecycle management.
-
Domains: A domain is a top-level container for projects, users, and groups, essentially acting as an administrative boundary. Domains enable multi-tenancy at scale by providing namespaces that prevent collisions of project or user identifiers. For example, distinct domains might represent different companies in a public cloud or separate business units within a private cloud.
Domains support the delegation of administrative authority. Domain-scoped administrators can manage users, groups, and projects exclusively within their domain, without affecting others. This separation establishes trust boundaries and simplifies compliance requirements.
Domains also enforce logical grouping of entities, enabling domain-scoped authentication and authorization policies. Deletion of a domain cascades to contained projects, users, and groups, reflecting its top-level container role.
-
Users and Groups: Within Keystone, users represent individual identities that authenticate against the system-typically human operators, service accounts, or automated processes. Each user has unique credentials and metadata attributes such as email and default project. The user lifecycle permits creation, modification (e.g., password reset, attribute updates), listing, and deletion.
Users may be organized into groups to facilitate role assignments and access control. Groups represent collections of users that share common privileges, enabling bulk policy management. Groups are themselves owned by domains and support management operations parallel to those for users.
Adding a user to a group implicitly grants group-level role assignments to that user, providing a powerful mechanism to scale permissions. Conversely, removing users from groups dynamically reduces access.
-
Roles: Roles embody permission sets which, when assigned, define the capabilities of users or groups within a particular scope. Keystone roles are abstract and domain-agnostic permission labels, such as admin, member, or custom roles tailored to business policies.
Role assignments are made within the context of projects or domains, linking a role to a user or group within a particular scope. The combination of subject (user or group), role, and scope forms a role assignment, which is the cornerstone of access control in Keystone.
A critical aspect of role assignments is inheritance. Roles granted at the domain level cascade to all projects under that domain, enabling hierarchical privilege propagation and reducing repetitive configuration. This inheritance mechanism must be balanced carefully to avoid unintentional privilege escalation.
CRUD operations on roles involve creating new roles, listing role catalogs, assigning or revoking roles for users/groups over scopes, and deleting obsolete roles.
-
Service Endpoints: Service endpoints define network-accessible API locations for registered OpenStack services such as Nova, Neutron, or Swift. Each service endpoint is associated with a service entity and contains URLs differentiated by interface type: public, internal, and admin.
Endpoints are critical for enabling clients to locate and communicate with specific service instances, supporting multi-region or multi-environment configurations through endpoint catalog abstraction.
Endpoint management includes registering services, creating endpoints with proper URLs, updating to reflect topology changes, and deletion when services are decommissioned. Accurate modeling of endpoints ensures seamless service discovery and operational continuity.
-
Entity Relationships and Identity Scoping: Interactions among these entities underpin Keystone's identity and access management model. Users authenticate in a scoped manner-either domain-scoped or project-scoped. The scope determines the token issued and the corresponding sets of role assignments applicable during authorization.
Group membership aggregates roles from multiple group assignments and direct user assignments, forming a cumulative permission set. Role inheritance augments this set by propagating privileges downward in the domain-project hierarchy.
Consider the following role assignment example:
- User alice belongs to group dev-team in domain example.com.
- The dev-team group is assigned the member role in project proj1.
- Additionally, alice has a direct admin role in domain example.com.
Through inheritance, the admin role applies to all projects under example.com, potentially granting alice admin privileges for proj1 and others unless explicitly restricted.
-
Impact on Access Control and Governance: Keystone's entity model, through its hierarchical domains and scoped projects, provides a scalable framework that enforces least privilege and administrative segregation. By carefully orchestrating role assignments and leveraging inheritance, organizations can achieve granular access policies with reduced operational complexity.
However, the flexibility in role assignments and entity relationships demands rigorous governance and auditing practices. Misconfigured inheritance or group memberships can easily lead to excessive permissions or privilege leakage. Thus, understanding the interactions and lifecycle of Keystone entities is vital for maintaining secure and manageable multi-tenant deployments.
The design of Keystone entities aligns with industry best practices on zero-trust principles, emphasizing explicit scope, minimal roles, and auditability, which collectively form the foundation of secure and adaptive cloud identity management.
Keystone functions as the cornerstone of identity management within the OpenStack ecosystem, acting as the unified authority for authentication and authorization. Its role ensures that every request entering the OpenStack environment can be reliably attributed and verified, maintaining security integrity across the distributed architecture of...
