what is the difference in authorization between AWS IAM and OpenStack keystone?

asked 2014-04-10 02:28:04 -0500

9lives gravatar image

updated 2014-04-10 02:33:09 -0500

Dear Stackers,

As far as I know in AWS IAM service , the authorization can be done by IAM only ie. the IAM can define which role can access which services(EC2, S3 etc) and do what action.However in OpenStack Keystone seemed the Keystone cannot really do authorization only, it needs the policy.json from other service like glance to define which role can do actions like upload the image file etc.

My question is what are the other major differences between the two authorization services?

Thanks for your kind help!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-04-17 17:43:53 -0500

I can give you an OpenStack point of view, Keystone today has 2 roles, a Member Role (user) and an Admin Role. The admin role can do more admin like functions, create projects, create users, create platform flavors, see everything that is going on, and modify everything as well. A Member role is a user within a Project, and a user in a project can look at consumption against quota, Spin up and down VM instances, create Volumes, Create Security (Sec-groups, Key pairs), and access the API's/CLI. Under the cover keystone uses unique ID to verify authorization based on user type and services being requested. Coming in Keystone 3.0 the concept of Domains is introduced, so you now can have Admins particular Domains, then again the Member or user role. The will allow a granular division of Admin functions to Domains of users. Hope this helps.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-04-10 02:28:04 -0500

Seen: 2,389 times

Last updated: Apr 17 '14