Identity and Access (Keystone)
Overview
firstcolo Cloud uses the OpenStack component Keystone for identity and access.
There a different ways to authenticate towards Keystone. Upon successful authentication, the identity service provides the user with an authorization token used for subsequent service requests.
Supported authentication methods
| Method | Supported |
|---|---|
| Password | yes |
| Token | yes |
| Application Credentials | yes |
| Multi-Factor-Authentication (TOTP) | no |
Password
A common way for an user or service to authenticate towards Keystone is by using username and password. For an example, have a look at the API access tutorial.
Users can change their password either using the OpenStack CLI command openstack user password set, or via the OpenStack dashboard.
If you forgot your password, please contact our support.
Token
When you authenticate using a token, it is not necessary anymore to provide username and password. Tokens are valid for only one hour.
The OpenStack CLI allows you to create tokens with the command openstack token issue. It can also be manually revoked using openstack token revoke. For more information how to get started with the OpenStack CLI, have a look at the API access tutorial.
Many clients will switch to the token authentication methods with these environment variables in place:
export OS_TOKEN="ab4d1e500c5245e5a166892943118a44"
export OS_AUTH_TYPE="token"
unset OS_USER_DOMAIN_NAME
unset OS_USERNAME
Application Credentials
Users can create Application Credentials and use them instead of the Password method. This is useful, if you want to configure third party software like Prometheus to query the OpenStack API.
Using Application Credentials it can be avoided to put clear text passwords into the configuration of applications.
Application Credentials always belong to a user, and can inherit some or all roles of their owner.
Please refer to the Application Credentials tutorial to learn more about how to use Application Credentials.
Access management
On the firstcolo Cloud every customer will have one or more users (for every team member), and one or more projects. Users can have access to all customer projects, or only to a subset of projects if required.
We manage projects, users, groups and roles for you. Please contact the Support if you happen to require changes to your projects, users or groups.
Projects
Every cloud resource, like virtual machines, belongs to a certain project. It might be good practice to separate unrelated pieces of infrastructure into different projects. If you need separate projects, please contact the Support.
Roles
| Role | Access to cloud resources |
|---|---|
| member | create, read, update, delete |
| member | access to openstack swift storage |
| load-balancer_member | manage load balancers |