Configuring Keystone¶

Identity sources¶

One of the most impactful decisions you’ll have to make when configuring keystone is deciding how you want keystone to source your identity data. Keystone supports several different choices that will substantially impact how you’ll configure, deploy, and interact with keystone.

You can also mix-and-match various sources of identity (see Domain-specific Configuration for an example). For example, you can store OpenStack service users and their passwords in SQL, manage customers in LDAP, and authenticate employees via SAML federation.

Summary

Details

• Local authentication

  Status: optional. Authenticate with keystone by providing credentials directly to keystone.

  drivers:

  • SQL: complete
  • LDAP: complete
  • OAuth v1.0a: complete
  • REMOTE_USER: missing
  • OpenID Connect: missing
  • SAML v2: missing

• External authentication

  Status: optional. Authenticate with keystone by providing credentials to an external system that keystone trusts (as with federation).

  drivers:

  • SQL: missing
  • LDAP: missing
  • OAuth v1.0a: missing
  • REMOTE_USER: complete
  • OpenID Connect: complete
  • SAML v2: complete

• Identity management

  Status: optional. Create, update, enable/disable, and delete users via Keystone’s HTTP API.

  drivers:

  • SQL: complete
  • LDAP: partial
  • OAuth v1.0a: complete
  • REMOTE_USER: missing
  • OpenID Connect: missing
  • SAML v2: missing

• PCI-DSS controls

  Status: optional. Configure keystone to enforce PCI-DSS compliant security controls.

  drivers:

  • SQL: complete
  • LDAP: partial
  • OAuth v1.0a: missing
  • REMOTE_USER: partial
  • OpenID Connect: missing
  • SAML v2: missing

• Auditing

  Status: optional. Audit authentication flows using PyCADF.

  drivers:

  • SQL: complete
  • LDAP: complete
  • OAuth v1.0a: missing
  • REMOTE_USER: missing
  • OpenID Connect: complete
  • SAML v2: complete