1.4.2. Identity Service
The Identity service authenticates and authorizes OpenStack users (it keeps track of users and their permitted activities); the service is used by all OpenStack components. The service supports multiple forms of authentication including user name and password credentials, token-based systems, and AWS-style logins (Amazon Web Services).
The Identity service also provides a central catalog of services and endpoints running in a particular OpenStack cloud. This acts as a service directory for other OpenStack systems. Each endpoint is assigned:
- an
adminURL, the URL for the administrative endpoint for the service. Only the Identity service might use a value here that is different from publicURL; all other services will use the same value. - an
internalURL, the URL of an internal-facing endpoint for the service (typically same as the publicURL). - a
publicURL, the URL of the public-facing endpoint for the service. - a
region, in which the service is located. By default, if a region is not specified, the 'RegionOne' location is used.
The Identity service uses the following concepts:
- Users, with associated information (such as a name and password). In addition to custom users, a user is automatically defined for each cataloged service (for example, the 'glance' user for the Image service), who belongs to the special tenant 'service'.
- Tenants, generally the user's group, project, or organization.
- Roles that determine a user's permissions.
Table 1.3. Identity Service components
| Component | Description |
|---|---|
|
keystone
|
Provides the administrative and public APIs.
|
|
Databases
|
For each of the internal services.
|