Tuesday, October 16, 12
OpenStack Identity             State of the Project: Keystone                                               Joe Heck      ...
me...                          Joe Heck         choose to live    @heckj              here                                ...
Outline                 ‣   Why keystone                 ‣   What is keystone                 ‣   Basic concepts          ...
Why Keystone                 ‣   the first “openstack common”                 ‣   common internal API expressing relevant i...
What is Keystone                 ‣   single source of authentication, authorization                     ‣    same account ...
What is Keystone - core internal services                 ‣   identity                 ‣   policy                 ‣   toke...
Basic Concepts - Identity                 ‣   Tenant == Project                     ‣    basic unit of ownership          ...
Basic Concepts - Policy                 ‣   Policy file - private/internal in Essex                     ‣    Nova, Glance, ...
Basic Concepts - Token                 ‣   Token                     ‣    arbitrary string to be used in HTTP headers     ...
Basic Concepts - Catalog                 ‣   service --> endpoint                 ‣   OpenStack Services                  ...
TOKEN: 87d45c4c6e9b445997da68f399b49704                 ‣   {uaccess: {userviceCatalog: [{uendpoints: [{uadminURL: uhttp:/...
High Level Architecture                 ‣   Typical OpenStack Pattern                     ‣    WSGI Application, configured...
High Level Architecture                 ‣   operational facade to existing systems                     ‣    identity      ...
Supported Backends                ‣    Identity                     ‣    SQL, LDAP, Active Directory, PAM, KeyValue       ...
Keystone history : Cactus release and earlier                 ‣   protocols and mechanisms originally disparate in        ...
Keystone history : Diablo                 ‣   Aggressively prototyped                     ‣    OpenStack internal token-ba...
Keystone history : Essex                 ‣   Consolidation                     ‣    re-implemented to simplify and refacto...
Keystone history : Folsom                 ‣   PKI and prep for Grizzly+                     ‣    Enabled PKI based tokens ...
Keystone future : Grizzly                 ‣   Implement V3 API                     ‣    auth changes effect and impact ever...
Keystone future : Grizzly                 ‣   Extend the authorization mechanisms                     ‣    support delegat...
Keystone future : Grizzly (learning)                 ‣   Federation                     ‣    Discussion of use cases and s...
Joe Heck                                       @heckj                                heckj@mac.com                        ...
Upcoming SlideShare
Loading in...5
×

Oct 2012 state of project keystone

1,763

Published on

OpenStack Design Summit - Grizzly: State of the Project - Keystone

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,763
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
68
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Oct 2012 state of project keystone

  1. 1. Tuesday, October 16, 12
  2. 2. OpenStack Identity State of the Project: Keystone Joe Heck Project Technical LeadTuesday, October 16, 12
  3. 3. me... Joe Heck choose to live @heckj here grew up hereTuesday, October 16, 12
  4. 4. Outline ‣ Why keystone ‣ What is keystone ‣ Basic concepts ‣ High level architecture ‣ Keystone history review ‣ Grizzly plansTuesday, October 16, 12
  5. 5. Why Keystone ‣ the first “openstack common” ‣ common internal API expressing relevant identity information to OpenStack projects ‣ need for knowledge of OpenStack service endpointsTuesday, October 16, 12
  6. 6. What is Keystone ‣ single source of authentication, authorization ‣ same account and credentials for starting a VM instance and accessing a container in object storage ‣ enforcement of authorization policies at the service level, not centralized ‣ means of expressing API endpoints ‣ basic service catalogTuesday, October 16, 12
  7. 7. What is Keystone - core internal services ‣ identity ‣ policy ‣ token ‣ catalogTuesday, October 16, 12
  8. 8. Basic Concepts - Identity ‣ Tenant == Project ‣ basic unit of ownership ‣ collection of resources (vm, volume, container, etc) ‣ User ‣ individual or service ‣ identified by basic credentials ‣ Role ‣ name relationship between a user and tenantTuesday, October 16, 12
  9. 9. Basic Concepts - Policy ‣ Policy file - private/internal in Essex ‣ Nova, Glance, and Keystone ‣ extending to Cinder, Quantum ‣ Simple rule based mechanism for expressing authorization ‣ Enforcement at the servicesTuesday, October 16, 12
  10. 10. Basic Concepts - Token ‣ Token ‣ arbitrary string to be used in HTTP headers ‣ identity associated with token retrievable by other OpenStack services ‣ token ‣ user, tenant, roles ‣ catalogTuesday, October 16, 12
  11. 11. Basic Concepts - Catalog ‣ service --> endpoint ‣ OpenStack Services ‣ identity ‣ compute ‣ volume ‣ image ‣ ec2 ‣ object-storeTuesday, October 16, 12
  12. 12. TOKEN: 87d45c4c6e9b445997da68f399b49704 ‣ {uaccess: {userviceCatalog: [{uendpoints: [{uadminURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, uinternalURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, upublicURL: uhttp://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c, uregion: uRegionOne}], uendpoints_links: [], uname: uVolume Service, utype: uvolume}, {uendpoints: [{uadminURL: uhttp://image:9292/v1, uinternalURL: uhttp://image:9292/v1, upublicURL: uhttp://image:9292/v1, uregion: uRegionOne}], uendpoints_links: [], uname: uImage Service, utype: uimage}, ... ... ... {uendpoints: [{uadminURL: uhttp://ident:35357/v2.0, uinternalURL: uhttp://ident:5000/v2.0, upublicURL: uhttp://ident:5000/v2.0, uregion: uRegionOne}], uendpoints_links: [], uname: uIdentity Service, utype: uidentity}], utoken: {uexpires: u2012-04-19T00:06:53Z, uid: u87d45c4c6e9b445997da68f399b49704, utenant: {udescription: None, uenabled: True, uid: uc566cb3adfab4f4a859250f4f7d4f56c, uname: udemo}}, uuser: {uid: u30e5d97149cf4621b9dbeb7681917aed, uname: ufrank, uroles: [{uid: u089c23c4f82f4c9d8882f6919dd51103, uname: uAdmin}, {uid: uda104b278a2b463e89dd5e072740702e, uname: uMember}], uroles_links: [], uusername: ufrank}}}Tuesday, October 16, 12
  13. 13. High Level Architecture ‣ Typical OpenStack Pattern ‣ WSGI Application, configured with Paste ‣ URI routes mapped to configurable backends ‣ Configurable backends per internal service: ‣ SQL ‣ LDAP ‣ key-value store ‣ ...yours...Tuesday, October 16, 12
  14. 14. High Level Architecture ‣ operational facade to existing systems ‣ identity ‣ token ‣ policy ‣ catalogTuesday, October 16, 12
  15. 15. Supported Backends ‣ Identity ‣ SQL, LDAP, Active Directory, PAM, KeyValue ‣ Catalog ‣ SQL, Template, KeyValue ‣ Token ‣ SQL, Memcache, KeyValue ‣ Policy ‣ RulesTuesday, October 16, 12
  16. 16. Keystone history : Cactus release and earlier ‣ protocols and mechanisms originally disparate in compute and object storage ‣ called “auth v1” ‣ separate accounts in nova and swift ‣ glance using both, highlighted the issueTuesday, October 16, 12
  17. 17. Keystone history : Diablo ‣ Aggressively prototyped ‣ OpenStack internal token-based HTTP API ‣ administrative API, separate ports ‣ lots of changes, right up through the releaseTuesday, October 16, 12
  18. 18. Keystone history : Essex ‣ Consolidation ‣ re-implemented to simplify and refactor architecture ‣ architecture shift to focus on independent drivers ‣ migrated to administrative CRUD operations ‣ maintained 100% API compatibilityTuesday, October 16, 12
  19. 19. Keystone history : Folsom ‣ PKI and prep for Grizzly+ ‣ Enabled PKI based tokens ‣ kept everything rock solid ‣ maintained 100% API compatibility ‣ Resolved bugs, dealt with security issues as they were uncovered ‣ lessons learned led to a V3 identity API ‣ started implementation on V3 APITuesday, October 16, 12
  20. 20. Keystone future : Grizzly ‣ Implement V3 API ‣ auth changes effect and impact every project ‣ consolidate code into Oslo (openstack-common) ‣ help drive consolidated policy and roles changes through all projects ‣ Consolidate policy files ‣ focus on documentation, example configurationsTuesday, October 16, 12
  21. 21. Keystone future : Grizzly ‣ Extend the authorization mechanisms ‣ support delegation/impersonation ‣ ActiveDirectory support ‣ externalizing authentication ‣ Moving default token to PKI ‣ CLI and common authenticationTuesday, October 16, 12
  22. 22. Keystone future : Grizzly (learning) ‣ Federation ‣ Discussion of use cases and setup ‣ Learn what’s needed to fully support trust delegationTuesday, October 16, 12
  23. 23. Joe Heck @heckj heckj@mac.com finiTuesday, October 16, 12
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×