IdM integration
In a 2014 blog post, OpenStack developer Nathan Kinder famously (and convincingly) argued that Keystone is not an authentication service. In this post, Kinder describes the deployment pattern of placing the Keystone service behind an Apache HTTP server, which uses native modules to perform authentication. Kinder makes two arguments in his post:
- Most people use some kind of external authentication system with OpenStack
- The reference authentication system (the SQL plugin) doesn't have any of the features that we'd expect from an authentication service
Both of these arguments have been proven in our experience; the first integration that most organizations we work with tackle is that of the IdM service.
Authentication and authorization in OpenStack
Having an understanding of how authentication and authorization work within OpenStack is helpful. Each call to an OpenStack API service is authorized by a bearer token, which is retrieved from and verified by the Keystone service. The...