Oct 2012 state of project keystone
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Oct 2012 state of project keystone

on

  • 2,084 views

OpenStack Design Summit - Grizzly: State of the Project - Keystone

OpenStack Design Summit - Grizzly: State of the Project - Keystone

Statistics

Views

Total Views
2,084
Views on SlideShare
2,030
Embed Views
54

Actions

Likes
1
Downloads
64
Comments
0

3 Embeds 54

http://cliveboulton.com 41
http://www.linkedin.com 9
https://www.linkedin.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Oct 2012 state of project keystone Presentation Transcript

  • 1. Tuesday, October 16, 12
  • 2. OpenStack Identity State of the Project: Keystone Joe Heck Project Technical LeadTuesday, October 16, 12
  • 3. me... Joe Heck choose to live @heckj here grew up hereTuesday, October 16, 12
  • 4. Outline ‣ Why keystone ‣ What is keystone ‣ Basic concepts ‣ High level architecture ‣ Keystone history review ‣ Grizzly plansTuesday, October 16, 12
  • 5. Why Keystone ‣ the first “openstack common” ‣ common internal API expressing relevant identity information to OpenStack projects ‣ need for knowledge of OpenStack service endpointsTuesday, October 16, 12
  • 6. What is Keystone ‣ single source of authentication, authorization ‣ same account and credentials for starting a VM instance and accessing a container in object storage ‣ enforcement of authorization policies at the service level, not centralized ‣ means of expressing API endpoints ‣ basic service catalogTuesday, October 16, 12
  • 7. What is Keystone - core internal services ‣ identity ‣ policy ‣ token ‣ catalogTuesday, October 16, 12
  • 8. Basic Concepts - Identity ‣ Tenant == Project ‣ basic unit of ownership ‣ collection of resources (vm, volume, container, etc) ‣ User ‣ individual or service ‣ identified by basic credentials ‣ Role ‣ name relationship between a user and tenantTuesday, October 16, 12
  • 9. Basic Concepts - Policy ‣ Policy file - private/internal in Essex ‣ Nova, Glance, and Keystone ‣ extending to Cinder, Quantum ‣ Simple rule based mechanism for expressing authorization ‣ Enforcement at the servicesTuesday, October 16, 12
  • 10. Basic Concepts - Token ‣ Token ‣ arbitrary string to be used in HTTP headers ‣ identity associated with token retrievable by other OpenStack services ‣ token ‣ user, tenant, roles ‣ catalogTuesday, October 16, 12
  • 11. Basic Concepts - Catalog ‣ service --> endpoint ‣ OpenStack Services ‣ identity ‣ compute ‣ volume ‣ image ‣ ec2 ‣ object-storeTuesday, October 16, 12
  • 12. TOKEN: 87d45c4c6e9b445997da68f399b49704 ‣ {uaccess: {userviceCatalog: [{uendpoints: [{uadminURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, uinternalURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, upublicURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, uregion: uRegionOne}], uendpoints_links: [], uname: uVolume Service, utype: uvolume}, {uendpoints: [{uadminURL: uhttp://image:9292/v1, uinternalURL: uhttp://image:9292/v1, upublicURL: uhttp://image:9292/v1, uregion: uRegionOne}], uendpoints_links: [], uname: uImage Service, utype: uimage}, ... ... ... {uendpoints: [{uadminURL: uhttp://ident:35357/v2.0, uinternalURL: uhttp://ident:5000/v2.0, upublicURL: uhttp://ident:5000/v2.0, uregion: uRegionOne}], uendpoints_links: [], uname: uIdentity Service, utype: uidentity}], utoken: {uexpires: u2012-04-19T00:06:53Z, uid: u87d45c4c6e9b445997da68f399b49704, utenant: {udescription: None, uenabled: True, uid: uc566cb3adfab4f4a859250f4f7d4f56c, uname: udemo}}, uuser: {uid: u30e5d97149cf4621b9dbeb7681917aed, uname: ufrank, uroles: [{uid: u089c23c4f82f4c9d8882f6919dd51103, uname: uAdmin}, {uid: uda104b278a2b463e89dd5e072740702e, uname: uMember}], uroles_links: [], uusername: ufrank}}}Tuesday, October 16, 12
  • 13. High Level Architecture ‣ Typical OpenStack Pattern ‣ WSGI Application, configured with Paste ‣ URI routes mapped to configurable backends ‣ Configurable backends per internal service: ‣ SQL ‣ LDAP ‣ key-value store ‣ ...yours...Tuesday, October 16, 12
  • 14. High Level Architecture ‣ operational facade to existing systems ‣ identity ‣ token ‣ policy ‣ catalogTuesday, October 16, 12
  • 15. Supported Backends ‣ Identity ‣ SQL, LDAP, Active Directory, PAM, KeyValue ‣ Catalog ‣ SQL, Template, KeyValue ‣ Token ‣ SQL, Memcache, KeyValue ‣ Policy ‣ RulesTuesday, October 16, 12
  • 16. Keystone history : Cactus release and earlier ‣ protocols and mechanisms originally disparate in compute and object storage ‣ called “auth v1” ‣ separate accounts in nova and swift ‣ glance using both, highlighted the issueTuesday, October 16, 12
  • 17. Keystone history : Diablo ‣ Aggressively prototyped ‣ OpenStack internal token-based HTTP API ‣ administrative API, separate ports ‣ lots of changes, right up through the releaseTuesday, October 16, 12
  • 18. Keystone history : Essex ‣ Consolidation ‣ re-implemented to simplify and refactor architecture ‣ architecture shift to focus on independent drivers ‣ migrated to administrative CRUD operations ‣ maintained 100% API compatibilityTuesday, October 16, 12
  • 19. Keystone history : Folsom ‣ PKI and prep for Grizzly+ ‣ Enabled PKI based tokens ‣ kept everything rock solid ‣ maintained 100% API compatibility ‣ Resolved bugs, dealt with security issues as they were uncovered ‣ lessons learned led to a V3 identity API ‣ started implementation on V3 APITuesday, October 16, 12
  • 20. Keystone future : Grizzly ‣ Implement V3 API ‣ auth changes effect and impact every project ‣ consolidate code into Oslo (openstack-common) ‣ help drive consolidated policy and roles changes through all projects ‣ Consolidate policy files ‣ focus on documentation, example configurationsTuesday, October 16, 12
  • 21. Keystone future : Grizzly ‣ Extend the authorization mechanisms ‣ support delegation/impersonation ‣ ActiveDirectory support ‣ externalizing authentication ‣ Moving default token to PKI ‣ CLI and common authenticationTuesday, October 16, 12
  • 22. Keystone future : Grizzly (learning) ‣ Federation ‣ Discussion of use cases and setup ‣ Learn what’s needed to fully support trust delegationTuesday, October 16, 12
  • 23. Joe Heck @heckj heckj@mac.com finiTuesday, October 16, 12