openstack-keystonelisted

# OpenStack Keystone Identity Service Keystone is the identity service for OpenStack. Every API call to every OpenStack service passes through Keystone for authentication and authorization. It is the first service deployed and the last decommissioned. If Keystone is down, the entire cloud is down. Keystone provides five core functions: **identity** (users, groups), **resources** (projects, domains), **assignment** (roles mapped to users on projects), **token** (authentication proof with configurable lifetime), and **catalog** (service endpoint registry). Understanding Keystone means understanding how every OpenStack service discovers and trusts every other service. ## Deploy ### Kolla-Ansible Configuration **globals.yml settings:** ```yaml # Required -- set strong passwords keystone_admin_password: "{{ vault_keystone_admin_password }}" keystone_database_password: "{{ vault_keystone_database_password }}" # TLS (recommended for production) kolla_enable_tls_internal: "yes" kolla_enable_tls_external: "yes" kolla_copy_ca_into_containers: "yes" # Token provider (Fernet is default and recommended) keystone_token_provider: "fernet" # Optional tuning keystone_token_expiration: 3600 # seconds, default 1 hour ``` **Deployment sequence:** ```bash # 1. Bootstrap -- creates databases, service users, initial endpoints kolla-ansible -i inventory bootstrap-servers # 2. Deploy Keystone (runs as part of full deploy or targeted) kolla-ansible -i inventory deploy --tags keystone # 3