Introduction to Keystone
Keystone is a powerful and robust open-source Identity service used to manage
authentication and high-level authorization within OpenStack clouds. It offers
dozens of useful APIs to streamline identity management, ensuring secure
access and orchestrating user permissions with precision.
Getting Started with Keystone APIs
Below are some of the key APIs offered by Keystone with their explanations and
corresponding code snippets.
Create a New User
This API creates a new user within the Keystone identity service.
POST /v3/users
{
"user": {
"name": "new_user",
"domain_id": "default",
"enabled": true,
"password": "password123"
}
}
List All Users
Retrieve a list of all users in the Keystone identity service.
GET /v3/users
Get User Details
Fetch detailed information for a specific user by their ID.
GET /v3/users/{user_id}
Update User Information
Update the information of an existing user.
PATCH /v3/users/{user_id}
{
"user": {
"name": "updated_name",
"enabled": false
}
}
Delete a User
Remove a user from the Keystone identity service.
DELETE /v3/users/{user_id}
Create a New Project
This API call creates a new project within the Keystone identity service.
POST /v3/projects
{
"project": {
"name": "new_project",
"domain_id": "default",
"enabled": true
}
}
List All Projects
Retrieve a list of all projects in the Keystone identity service.
GET /v3/projects
Get Project Details
Fetch detailed information for a specific project by its ID.
GET /v3/projects/{project_id}
Update Project Information
Update the information of an existing project.
PATCH /v3/projects/{project_id}
{
"project": {
"name": "updated_project_name",
"enabled": false
}
}
Delete a Project
Remove a project from the Keystone identity service.
DELETE /v3/projects/{project_id}
Assign a Role to a User
This API assigns a specific role to a user within a project.
PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
Remove a Role from a User
Remove a specific role from a user within a project.
DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
Building a Simple Application Using Keystone APIs
Let’s build a simple Python application that demonstrates user creation, project
creation, and role assignment using Keystone APIs.
import requests
BASE_URL = "http://keystone.example.com/v3"
HEADERS = {"Content-Type": "application/json"}
def create_user(token, username, password, domain_id="default"):
url = f"{BASE_URL}/users"
headers = {**HEADERS, "X-Auth-Token": token}
data = {
"user": {
"name": username,
"password": password,
"domain_id": domain_id,
"enabled": True,
}
}
response = requests.post(url, json=data, headers=headers)
return response.json()
def create_project(token, project_name, domain_id="default"):
url = f"{BASE_URL}/projects"
headers = {**HEADERS, "X-Auth-Token": token}
data = {
"project": {
"name": project_name,
"domain_id": domain_id,
"enabled": True,
}
}
response = requests.post(url, json=data, headers=headers)
return response.json()
def assign_role(token, project_id, user_id, role_id):
url = f"{BASE_URL}/projects/{project_id}/users/{user_id}/roles/{role_id}"
headers = {**HEADERS, "X-Auth-Token": token}
response = requests.put(url, headers=headers)
return response
if __name__ == "__main__":
admin_token = "ADMIN_TOKEN"
user = create_user(admin_token, "johndoe", "password123")
print(f"Created User: {user}")
project = create_project(admin_token, "example_project")
print(f"Created Project: {project}")
role_assignment = assign_role(
admin_token, project["project"]["id"], user["user"]["id"], "role_id"
)
print(f"Assigned Role: {role_assignment.status_code}")
Hash: 4cc7a4b341d8ce3315ea112ebb01e664bd328e88781db0f4bbc0e3f65e201bf9
