Proceedings of ISP RAS

Openstack Keystone identification service drop-in replacement

Axenova E.L. (ISP RAS, Moscow, Russia) Shvetsova V.V. (ISP RAS, Moscow, Russia)
Borisenko O.D. (ISP RAS, Moscow, Russia)
Bogomolov I.V. (ISP RAS, Moscow, Russia)


The paper is dedicated to architecture and scalability principles for developed service intended to be a drop-in replace for Openstack Keystone. Openstack Keystone is the central identification and service catalogue service for clouds based on Openstack. Previous papers indicated problems of this service: it uses RDBMS (MariaDB/MySQL/PostgreSQL) as a data storage. Since each service and each user gets a token to have access to Openstack cloud and tokens are periodically revoked by the system, token generation is a critical function for the whole cloud. As soon as Keystone queries DBMS for getting user or service identification hashes and recomputes this hash upon the user-provided data, there is a bottleneck based on Keystone architecture. Each Keystone process has separate session with DBMS and since the recommended way is to use Galera cluster thus the DBMS part is limited to the slowest DBMS node since Galera provides High-Availability not the performance scale. Our approach is based on API Gateway Kong and its scalability through Apache Cassandra usage as a data store. Drop-in replacement is implemented as Lua plugin inside Kong API Gateway and implements Keystone V3 API.


Openstack Keystone; Apache Cassandra; Kong; API Gateway; Lua; cloud platform


Proceedings of the Institute for System Programming, vol. 29, issue 6, 2017, pp. 203-212.

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2017-29(6)-11

Full text of the paper in pdf (in Russian) Back to the contents of the volume