• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
OpenStack keystone identity service
 

OpenStack keystone identity service

on

  • 4,916 views

 

Statistics

Views

Total Views
4,916
Views on SlideShare
4,916
Embed Views
0

Actions

Likes
9
Downloads
198
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OpenStack keystone identity service OpenStack keystone identity service Presentation Transcript

    • OPENSTACK KEYSTONE IDENTITY SERVICEKavit Munshi, CTO, Aptira
    • WHAT IS KEYSTONE?Keystone is an OpenStack project that provides Identity, Token, Catalog andPolicy services for use specifically by projects in the OpenStack family. Itimplements OpenStack’s Identity API.The Identity services has two primary functions:- User management: keep track of users and what they are permitted to do- Service catalog: Provide a catalog of what services are available and wheretheir API endpoints are located
    • KEYSTONE ARCHITECTUREKeystone is organized as a group of internal services exposed on one or manyendpoints.1) Identity: The Identity service provides auth credential validation and data about Users, Tenants and Roles, as well as any associated metadata.2) Token: The Token service validates and manages Tokens used for authenticating requests once a user/tenant’s credentials have already been verified.3) Catalog: The Catalog service provides an endpoint registry used for endpoint discovery.4) Policy: The Policy service provides a rule-based authorization engine
    • KEYSTONE ARCHITECTUREEach of the services can configured to use a backend to allow Keystone to fit avariety of environments and needs. The backend for each service is defined inthe keystone.conf file1) KVS Backend: A simple backend interface meant to be further backended on anything that can support primary key lookups2) SQL Backend: A SQL based backend using SQLAlchemy to store data persistently.3) PAM Backend: Extra simple backend that uses the current system’s PAM service to authenticate, providing a one-to-one relationship between Users and Tenants.4) LDAP Backend: The LDAP backend stored Users and Tenents in separate Subtrees.5) Templated Backend: A simple Template used to configure Keystone
    • KEYSTONE ARCHITECTUREKeystone Architecture Logical Diagram
    • KEYSTONE ARCHITECTURE
    • KEYSTONE FLOWCHART
    • KEYSTONE USER MANAGEMENTThe three main concepts of Identity user management are:1) Users: A user represents a human user, and has associated information such as username, password and email.2) Tenants: A tenant can be thought of as a project, group, or organization. Whenever you make requests to OpenStack services, you must specify a tenant.3) Roles: A role captures what operations a user is permitted to perform in a given tenant.
    • KEYSTONE SERVICE MANAGEMENTKeystone also acts as a service catalog to let other OpenStack systems knowwhere relevant API endpoints exist for OpenStack Services. The two mainconcepts of Identity service management are:- Services- EndpointsThe Identity service also maintains a user that corresponds to each service (e.g.,a user named nova, for the Compute service) and a special service tenant, whichis called service.
    • INSTALLING AND SETTING UP KEYSTONEKeystone can be either be installed from the source or platform specific packagesavailable with various distributions. For the purposes of this presentation we will useUbuntu 12.04 with platform specific packages available in the repositories.- sudo apt-get install keystone- sudo apt-get install python-mysqldb mysql-server (install mysqldb to replace the default SQL lite DB)- mysql> CREATE DATABASE keystone; (Create mysql database for the keystone to use)- mysql> GRANT ALL ON keystone.* TO keystone@% IDENTIFIED BY [YOUR_KEYSTONE_PASSWORD]; (Create mysql user to access the keystone DB)- Change connection line in /etc/keystone.conf connection = mysql://keystone:[YOUR_KEYSTONE_PASSWORD]@[YOUR_KEYSTONE_SERVER]/key stone- admin_token = 012345SECRET99TOKEN012345 (Set service token in keystone.conf)- service keystone restart (Restart the keystone service to apply the changes- keystone-manage db_sync (Initialise the new keystone database)
    • KEYSTONE USER MANAGEMENT1) Create a user called Kavit keystone user-create --name=kavit --pass=test123 --email=kavit@aptira.com2) Create a tenant called test keystone tenant-create --name=test3) Create a role to use on our system keystone role-create –name=admin4) Associate the role and the user with the tenant keystone user-role-add --user=USERID –role=ROLEID –tenant_id=TENANTID
    • KEYSTONE SERVICE MANAGEMENT1) Create service tenant. This tenant contains all the services that we make known to the service catalog. keystone tenant-create –name=service2) Create users for each Openstack service in the service catalog keystone user-create –name=nova –pass=test123 -- email=nova@test.aptira.com3) Give admin roles to the users nova, glance, etc to the tenant service.4) Now that we have tenants, users and roles for each of the users, we need to create the services we wish authenticate users for. keystone service-create --name nova --type compute --description ’OpenStack Compute Service’
    • KEYSTONE SERVICE MANAGEMENT5) Once the services are created, we will need to associate the endpoints ornetwork addresses where clients might connect to the services offered.keystone endpoint-create --region myregion --service_id1e93ee6c70f8468c88a5cb1b106753f3--publicurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’--adminurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’--internalurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’
    • KEYSTONE WORKFLOW
    • IMPORTANT RESOURCES AND LINKSOpenStack keystone developer documentationhttp://docs.openstack.org/developer/keystone/OpenStack Identity Administration documentationhttp://docs.openstack.org/trunk/openstack-compute/install/content/ch_installing-openstack-identity-service.htmlKeystone githubhttp://github.com/openstack/keystoneKeystone Launchpad sitehttps://launchpad.net/keystone
    • THE END