Keystone—OpenStack's Identity service—provides secure controlled access to a cloud’s resources. In OpenStack environments, Keystone performs many vital functions, such as authenticating users and determining what resources users are authorized to access.
Whether the cloud is private, public, or dedicated, access to cloud resources and security is essential. This practical guide to using Keystone provides detailed, step-by-step guidance to creating a secure cloud environment at the Infrastructure-as-a-Service layer—as well as key practices for safeguarding your cloud's ongoing security.
Learn about Keystone's fundamental capabilities for providing Identity, Authentication, and Access Management
Perform basic Keystone operations, using concrete examples and the latest version (v3) of Keystone's Identity API
Understand Keystone's unique support for multiple token formats, including how it has evolved over time
Get an in-depth explanation of Keystone's LDAP support and how to configure Keystone to integrate with LDAP
Learn about one of Keystone's most sought-after features—support for federated identity
Chapter 1Fundamental Keystone Topics
1.1 Keystone Concepts
1.4 Access Management and Authorization
1.5 Backends and Services
Chapter 2Let’s Use Keystone!
2.1 Getting DevStack
2.2 Basic Keystone Operations Using OpenStackClient
2.3 Basic Keystone Operations Using Horizon
2.4 Tips, Common Pitfalls, and Troubleshooting
Chapter 3Token Formats
3.1 History of Keystone Token Formats
3.2 UUID Tokens
3.3 PKI Tokens
3.4 Fernet Tokens
3.5 Tips, Common Pitfalls, and Troubleshooting
4.1 Approach to LDAP Integration
4.2 Configuring Keystone to Integrate with LDAP
4.3 Multiple Domains and LDAP
4.4 A Practical Guide to Using Multi-Domains and Keystone
4.5 Projects, Roles, and Assignments from LDAP (Just Say NO!)
4.6 Tips, Common Pitfalls, and Troubleshooting
Chapter 5Federated Identity
5.1 Approach to Federation
5.2 Translating User Attributes to Keystone Concepts
5.3 Authentication Flow: What’s It Look Like?
5.4 Single Sign-On
5.5 A Practical Guide to Federating Identities for IBM WebSphere Liberty and Bluepages
5.6 A Practical Guide to Setting Up SSO with Google
5.7 Tips, Common Pitfalls, and Troubleshooting
Chapter 6Future Work
6.1 Multi-Factor Authentication
6.2 Integration with Horizon for Multi-Region Keystone to Keystone Federation Support
6.3 Using LDAP as a Federated Identity Provider
6.4 Replacement of Service Users with X.509 Certificates and Barbican Integration
6.5 Centralized Policy and Distribution
6.6 Integrating with Other Technologies
Identity, Authentication, and Access Management in OpenStack
Steve Martinelli, Henry Nash, Brad Topol
Safari Books Online
Early Release Ebook
| ISBN 10:
| ISBN 10:
Early Release Ebook ISBN:
| ISBN 10:
Steve Martinelli is an OpenStack Active Technical Contributor and a Keystone Core Contributor. He primarily focuses on enabling Keystone, which is OpenStack's Identity Manager, to better integrate into enterprise environments. Steve was responsible for adding Federated Identity and OAuth support to Keystone and was one of the leading contributors to Keystone to Keystone federation support for interoperable hybrid cloud enablement. In his spare time he also contributes to OpenStackClient, pyCADF, and oslo.policy and is a core contributor in each of these projects. Steve received his B.ASc. in Computer Engineering from York University.
Henry works in IBM's Cloud division as an OpenStack Architect and a core contributor to OpenStack Keystone, driving enterprise capabilities into OpenStack as well as IBM's products that use OpenStack. He has a long history of developing enterprise software, graphics and communication systems as well as nanotechnology, having founded numerous successful companies in Europe and the USA, finally coming to IBM via acquisition in 2009. He holds a 1st class honors degree in Electrical Engineering from the University of Southampton, UK.
Dr. Brad Topol is an IBM Distinguished Engineer in the IBM Cloud Architecture and Technology organization. In his current role, Brad leads a development team focused on contributing to and improving OpenStack and he has cross-IBM responsibility for coordinating its contributions to OpenStack. Brad is an OpenStack core contributor to Keystone-Specs, Pycadf, and Heat-Translator and has personally contributed to multiple OpenStack projects including Keystone, Pycadf, Heat-Translator, and DevStack. He received a Ph.D. in Computer Science from the Georgia Institute of Technology in 1998.