This blog on Openstack modelled using Archimate follows on from the previous Blog on Openstack Cloud Object Storage in Archimate – Part 7
Keystone = Identity
Keystone is an OpenStack service that provides API client authentication, service discovery, and distributed multi-tenant authorization by implementing OpenStack’s Identity API. It supports LDAP, OAuth, OpenID Connect, SAML and SQL. It offeres Role Based Access Control (RBAC).
Keystone = Identity Structural Logical Architecture
Keystone provides a single point of integration for OpenStack policy, catalog, token and authentication.
Keystone handles API requests as well as providing configurable keystone (service & admin APIs) catalog, policy, token and identity services.
Standard backends include LDAP or SQL, as well as Key Value OpenStack token backend, catalog backend, policy backend and identity backend stores (KVS).
Identity Service Most people will use this as a point of customization for their current authentication services.
Keystone = Identity Behavioural Services Architecture
These are the REST & CLI Services offered by Keystone for Identity. For each Service below there are one or many sub-services or commands that can be found here: https://developer.openstack.org/api-ref/identity/v3/
- User gets Token from Keystone.
- Token includes the list of user Projects and Roles in them.
- User calls the Service specifying the Token.
- Service interprets the Roles:
- Service consults its policy.json file.
- Policy.json specifies the list of available rules.
- Policy.json specifies which rules are enforced for operations and resources.
The next blog in the series is OpenStack Cloud Orchestration in Archimate – Part 9.