Keystone comprises a bunch of services. We will understand them and their functionalities; before this, let's take a quick look at the Keystone architecture:
In the preceding diagram, you will see the different subsystems of the service and the common components that will be shared with the other components of OpenStack. The MySQL server will be used by most of the components of the OpenStack, and hence it is classified as OpenStack Common. The LDAP service is optional and will be common from an enterprise tool set perspective.
Identity verifies the credentials and data of the users and user groups. It can store the user data in the local database (MySQL), or it can connect to the LDAP to get this data. If the local database is used, this service is capable of performing the CRUD (Create, Read, Update, and Delete) operations.
Resource is similar to identity, but it does this for resources, such as projects and domains. The LDAP-versus-local-database concepts that were discussed in the preceding section hold true in this case and for assignment as well.
The assignment service categorizes different users and resources by providing information about roles that are assigned to an identity or a resource.
Policy ties together the role name and what they are authorized to do. This is an authorization engine, with a rule management interface.
For instance, a user called John Doe is trying to access the OpenStack environment and tries to log in; the identity subsystem will authenticate him either locally or using LDAP (as configured). The assignment sub-system will provide the different roles assigned to John, and the policy sub-system will provide the action he is allowed to perform.