• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Openstack Keystone

Openstack Keystone






Total Views
Views on SlideShare
Embed Views



3 Embeds 195

http://www.cloudel.com 142
http://wiki.simplexi.com 50
http://www.linkedin.com 3



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Openstack Keystone Openstack Keystone Presentation Transcript

    • Openstack Keystone: Deep Dive & Coming Attractions Adam Young Senior Software Engineer, Cloud Red Hat July 24th, 20121 Presenter: Adam Young
    • Agenda ● Overview ● Code Layout ● Tokens ● Folsom Blueprints2 Presenter: Adam Young
    • Openstack Overview3 Presenter: Adam Young
    • Keystone: Identity Management Server4 Presenter: Adam Young
    • Keystone Domain Model5 Presenter: Adam Young
    • Code Layout6 Presenter: Adam Young
    • WSGI Mapping7 Presenter: Adam Young
    • Contrib ● Authorization Mechanism ● EC2 -> Token ● S3 -> Token ● Swift ● CRUD ● Admin ● Services ● Endpoints ● Roles ● User: ● Change Password8 Presenter: Adam Young
    • Persistence Backends ● KVS: Key Value Store ● In Memory ● Memcached ● SQL ● SQLite and MySQL ● PostGRES WIP ● LDAP ● Identity only ● Start for Active Directory9 Presenter: Adam Young
    • Tokens ● UUID ● Stored in DB ● Verified Online ● Shared Secret10 Presenter: Adam Young
    • Token: Request11 Presenter: Adam Young
    • Token: Authenticated12 Presenter: Adam Young
    • Token:Request for Service13 Presenter: Adam Young
    • Token: Verification14 Presenter: Adam Young
    • Token:Verified15 Presenter: Adam Young
    • Token: Response from Service16 Presenter: Adam Young
    • Auth Token Middleware17 Presenter: Adam Young
    • EC2 Token Middleware18 Presenter: Adam Young
    • Tokens: Pros and Cons ● Pros ● Instantly Revocable ● Small (ish) ● Cons ● Needs network to verify ● Keystone becomes chokepoint ● Is UUID Random Chattiest Part of Openstack19 Presenter: Adam Young
    • Folsom Blueprints20 Presenter: Adam Young
    • Keystone API V3 ● Emphasize URLS: fully Qualified Resource Location ● Rename Tenants back to Projects ● Clear associations between projects, users and credentials ● Policy implementation specific API ● Many Aspects Deferred ● Priority for Grizzly21 Presenter: Adam Young
    • PKIS Signed Tokens: Implementation ● Cryptographically Signed Text ● Crypto Message Syntax (SMIME) ● Contents of “Verify” ● Signed with Keystone Private Key ● Verified using ● OpenSSL ● Public Certificate ● Can also be verified using HTTP22 Presenter: Adam Young
    • PKI Signed Tokens: Crypto Commands ● Sign openssl cms -sign -in auth_token.json -nosmimecap -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts -noattr -out auth_token.signed ● Verify openssl cms -verify -in auth_token.signed -certfile cert.pem -out signedtext.txt -CAfile cacert.pem -inform DER23 Presenter: Adam Young
    • Token: Online Verification24 Presenter: Adam Young
    • Token: Offline Verification25 Presenter: Adam Young
    • Domains: ● ayoung@stoughton Vs ayoung@canton ● Currently One implicit domain ● Grant access from one domain to a ten^H^H^H project in another domain ● Finer grained administration ● True Multiple Tenancy26 Presenter: Adam Young
    • Policy/Role Based Access Control ● Replace “isAdmin” ● Currently in Nova ● Belongs in Keystone ● Register for service: ● Roles ● Capabilities ● Multiple Tenants and Roles ● Policy is in Keystone ● Enforcement is on the shoulders of Glance, Nova etc27 Presenter: Adam Young
    • Links http://keystone.openstack.org/ https://blueprints.launchpad.net/keystone/ https://docs.google.com/document/d/1VP-bTBbwsn6q- rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit28 Presenter: Adam Young
    • Image Attrbibutions● http://www.flickr.com/photos/jronaldlee/5216040554/lightbox/● http://th07.deviantart.net/fs70/PRE/i/2010/098/7/2/Robot_Blueprints_01_by_jordanoth.jpg● http://followinglesley.files.wordpress.com/2011/03/fake-ttc-tokens.jpg● http://commons.wikimedia.org/wiki/File:Scroll_Bridge_Keystone_-_geograph.org.uk_-_1299995.jpg● http://commons.wikimedia.org/wiki/File:Keystone_Grange_of_Barry_bridge_-_geograph.org.uk_-_395082.jpg● http://xkcd.com/378/● http://fc00.deviantart.net/fs51/f/2009/322/1/7/signed__sealed____by_kat013.jpg● http://th01.deviantart.net/fs71/PRE/f/2012/090/2/a/alnwick_castle_by_newcastlemale-d4uie0a.jpg● http://3.bp.blogspot.com/_V4w18ZWaPas/TN3LvAzfGEI/AAAAAAAAG_Y/YgnCvp9Na08/s1600/Fake-TTC-Tokens.jpg● http://en.wikipedia.org/wiki/File:Doorman.JPG 29 Presenter: Adam Young