Chapter 3. OpenStack Identity Service Installation

⁠Chapter 3. OpenStack Identity Service Installation

⁠3.1. Identity Service Overview

The Identity service authenticates and authorizes OpenStack users; the service is used by all OpenStack components. The service supports multiple forms of authentication including user name and password credentials, token-based systems, and AWS-style logins (Amazon Web Services).

The Identity service also provides a central catalog of services and endpoints running in a particular OpenStack cloud, which acts as a service directory for other OpenStack systems. OpenStack services use the following endpoints:

adminURL, the URL for the administrative endpoint for the service. Only the Identity service might use a value here that is different from publicURL; all other services will use the same value.
internalURL, the URL of an internal-facing endpoint for the service (typically the same as the publicURL).
publicURL, the URL of the public-facing endpoint for the service.
region, in which the service is located. By default, if a region is not specified, the 'RegionOne' location is used.

The Identity service uses the following concepts:

Users, which have associated information (such as a name and password). In addition to custom users, a user must be defined for each cataloged service (for example, the 'glance' user for the Image service).
Tenants, which are generally the user's group, project, or organization.
Roles, which determine a user's permissions.

⁠

Table 3.1. Identity Service components

Component	Description
keystone	Provides the administrative and public APIs.
Databases	For each of the internal services.