Openstack Keystone
-
Upload
kamesh-pemmaraju -
Category
Technology
-
view
3.323 -
download
3
description
Transcript of Openstack Keystone
![Page 1: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/1.jpg)
Presenter: Adam Young1
Openstack Keystone:
Deep Dive &
Coming Attractions
Adam YoungSenior Software Engineer, CloudRed HatJuly 24th, 2012
![Page 2: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/2.jpg)
Presenter: Adam Young2
Agenda
● Overview
● Code Layout
● Tokens
● Folsom Blueprints
![Page 3: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/3.jpg)
Presenter: Adam Young3
Openstack Overview
![Page 4: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/4.jpg)
Presenter: Adam Young4
Keystone: Identity Management Server
![Page 5: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/5.jpg)
Presenter: Adam Young5
Keystone Domain Model
![Page 6: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/6.jpg)
Presenter: Adam Young6
Code Layout
![Page 7: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/7.jpg)
Presenter: Adam Young7
WSGI Mapping
![Page 8: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/8.jpg)
Presenter: Adam Young8
Contrib
● Authorization Mechanism● EC2 -> Token● S3 -> Token● Swift
● CRUD● Admin
● Services● Endpoints● Roles
● User:● Change Password
![Page 9: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/9.jpg)
Presenter: Adam Young9
Persistence Backends
● KVS: Key Value Store● In Memory
● Memcached
● SQL● SQLite and MySQL● PostGRES WIP
● LDAP● Identity only● Start for Active Directory
![Page 10: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/10.jpg)
Presenter: Adam Young10
Tokens
● UUID
● Stored in DB
● Verified Online
● Shared Secret
![Page 11: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/11.jpg)
Presenter: Adam Young11
Token: Request
![Page 12: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/12.jpg)
Presenter: Adam Young12
Token: Authenticated
![Page 13: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/13.jpg)
Presenter: Adam Young13
Token:Request for Service
![Page 14: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/14.jpg)
Presenter: Adam Young14
Token: Verification
![Page 15: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/15.jpg)
Presenter: Adam Young15
Token:Verified
![Page 16: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/16.jpg)
Presenter: Adam Young16
Token: Response from Service
![Page 17: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/17.jpg)
Presenter: Adam Young17
Auth Token Middleware
![Page 18: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/18.jpg)
Presenter: Adam Young18
EC2 Token Middleware
![Page 19: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/19.jpg)
Presenter: Adam Young19
Tokens: Pros and Cons
● Pros● Instantly Revocable● Small (ish)
● Cons● Needs network to verify● Keystone becomes chokepoint● Is UUID Random
Chattiest Part of Openstack
![Page 20: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/20.jpg)
Presenter: Adam Young20
Folsom Blueprints
![Page 21: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/21.jpg)
Presenter: Adam Young21
Keystone API V3
● Emphasize URLS: fully Qualified Resource Location
● Rename Tenants back to Projects
● Clear associations between projects, users and credentials
● Policy implementation specific API
● Many Aspects Deferred
● Priority for Grizzly
![Page 22: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/22.jpg)
Presenter: Adam Young22
PKIS Signed Tokens: Implementation
● Cryptographically Signed Text● Crypto Message Syntax (SMIME)● Contents of “Verify”● Signed with Keystone Private Key● Verified using
● OpenSSL● Public Certificate
● Can also be verified using HTTP
![Page 23: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/23.jpg)
Presenter: Adam Young23
PKI Signed Tokens: Crypto Commands
● Sign
openssl cms -sign -in auth_token.json -nosmimecap -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts -noattr -out auth_token.signed
● Verify
openssl cms -verify -in auth_token.signed -certfile cert.pem -out signedtext.txt -CAfile cacert.pem -inform DER
![Page 24: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/24.jpg)
Presenter: Adam Young24
Token: Online Verification
![Page 25: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/25.jpg)
Presenter: Adam Young25
Token: Offline Verification
![Page 26: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/26.jpg)
Presenter: Adam Young26
Domains:
● ayoung@stoughton Vs ayoung@canton
● Currently One implicit domain
● Grant access from one domain to a ten^H^H^H project in another domain
● Finer grained administration
● True Multiple Tenancy
![Page 27: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/27.jpg)
Presenter: Adam Young27
Policy/Role Based Access Control
● Replace “isAdmin”
● Currently in Nova● Belongs in Keystone
● Register for service:● Roles● Capabilities
● Multiple Tenants and Roles
● Policy is in Keystone● Enforcement is on the
shoulders of Glance, Nova etc
![Page 28: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/28.jpg)
Presenter: Adam Young28
Links
http://keystone.openstack.org/
https://blueprints.launchpad.net/keystone/
https://docs.google.com/document/d/1VP-bTBbwsn6q-rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit
![Page 29: Openstack Keystone](https://reader034.fdocuments.net/reader034/viewer/2022050808/54b823204a79598b168b46af/html5/thumbnails/29.jpg)
Presenter: Adam Young29
Image Attrbibutions
● http://www.flickr.com/photos/jronaldlee/5216040554/lightbox/
● http://th07.deviantart.net/fs70/PRE/i/2010/098/7/2/Robot_Blueprints_01_by_jordanoth.jpg
● http://followinglesley.files.wordpress.com/2011/03/fake-ttc-tokens.jpg
● http://commons.wikimedia.org/wiki/File:Scroll_Bridge_Keystone_-_geograph.org.uk_-_1299995.jpg
● http://commons.wikimedia.org/wiki/File:Keystone_Grange_of_Barry_bridge_-_geograph.org.uk_-_395082.jpg
● http://xkcd.com/378/
● http://fc00.deviantart.net/fs51/f/2009/322/1/7/signed__sealed____by_kat013.jpg
● http://th01.deviantart.net/fs71/PRE/f/2012/090/2/a/alnwick_castle_by_newcastlemale-d4uie0a.jpg
● http://3.bp.blogspot.com/_V4w18ZWaPas/TN3LvAzfGEI/AAAAAAAAG_Y/YgnCvp9Na08/s1600/Fake-TTC-Tokens.jpg
● http://en.wikipedia.org/wiki/File:Doorman.JPG