OpenStack Keystone is the identity service component of the OpenStack cloud infrastructure platform, providing authentication, authorization, and service discovery mechanisms primarily through HTTP interfaces. The project serves as a central identity management system for OpenStack deployments and is commonly deployed as an HTTP interface to existing identity systems such as LDAP, enabling organizations to integrate their existing directory services with OpenStack environments.
The repository implements comprehensive identity and access management capabilities across multiple dimensions. It handles token issuance and token management, allowing systems to issue and validate authentication tokens for API access. The service supports role-based access control, enabling fine-grained permission management through role assignments. Keystone manages user provisioning and user management operations, supporting the creation, modification, and deletion of user accounts within OpenStack deployments. The system is designed with multi-tenant architecture in mind, allowing multiple isolated tenants to coexist within a single OpenStack installation while maintaining security boundaries between them.
Beyond basic authentication, Keystone provides identity federation capabilities, enabling users from external identity providers to access OpenStack resources through federated authentication mechanisms. This extends the service's utility in enterprise environments where users may already be authenticated through corporate identity systems. The service catalog functionality allows Keystone to maintain and distribute information about available OpenStack services and their endpoints, enabling clients to discover service locations dynamically.
The project is written in Python and maintains comprehensive documentation across multiple audiences. Developer documentation is published at docs.openstack.org, with API reference materials available for integration purposes. Cloud administrator documentation provides operational guidance for deploying and managing Keystone instances. The canonical client library, python-keystoneclient, is maintained separately and provides programmatic access to Keystone functionality.
The project maintains active community engagement through multiple channels. Team meetings are coordinated through the OpenStack wiki, and contributors participate in IRC discussions on the OFTC network in the dedicated keystone channel. Bug tracking and feature requests are managed through Launchpad, while future design work is tracked through the keystone-specs repository. The project follows standard OpenStack contribution guidelines documented in the CONTRIBUTING.rst file.
This repository serves as a mirror of code maintained at opendev.org, reflecting OpenStack's distributed development infrastructure. The service is classified across numerous identity and access management categories including token management, user management, role-based access control, identity federation, and API management, reflecting its comprehensive role in OpenStack's security architecture. As a foundational service within the OpenStack ecosystem, Keystone is essential for any OpenStack deployment requiring secure, scalable identity management and service discovery capabilities.