SlideShare a Scribd company logo
1 of 18
OpenStack
Identity Service
Codename: Keystone
Deepti Ramakrishna
Software Engineer, Intel
What is Keystone?
● Keystone is the identity service used by OpenStack for
● Authentication (authN)
● Authorization (authZ)
● What is the difference between the two?
● Identity service has two primary functions:
● User management
● Service catalog
● In general deployment cases, Keystone will be the first service
to be installed
Keystone terminologies
● User
● Users are digital representations of a person, system, or service
● Project/Tenant
● A project is a group used to isolate resources and/or users
● Credentials
● Credentials are data known only by a specific user which proves his or her identity
● E.g: username and password, an authentication token
● Token
● A token is an arbitrary bit of text used to access resources
● Each token has a scope describing accessible resources
● A token may be revoked at any time and is valid for a finite duration
Keystone terminologies - continued
● Role
● Set of assigned user rights and privileges for performing a specific set of
operations
● A user token issued by Keystone includes a list of that user’s roles. Services then
determine how to interpret those roles.
● Endpoint
● An endpoint is a network-accessible address, usually described by URL, from
which services are accessed.
● Service
● An OpenStack service, such as Compute (Nova), Object Storage (Swift), or Image
Service (Glance) which provides one or more endpoints through which users can
access resources and perform operations.
● Service catalog = Services list + Endpoints
Uses of Identity API
● As a User:
● Get a token
● Get the service catalog
● As an admin:
● Define
● Users
● Projects
● Roles
● Roles for users on a project (RBAC - Role Based Access Control)
● Services, endpoints for services
● As a service:
● Validate a token
● Tracks what services are installed and where to locate them on the network
● Get a trust to impersonate user
http://www.slideshare.net/SteveMartinelli1/openstack-toronto-meetup-keystone-101
Keystone sequence diagram
http://www.slideshare.net/openstackindia/openstack-keystone-identity-service
Keystone backends
https://www.safaribooksonline.com/library/view/identity-authentication-and/9781491941249/ch01.html
Identity backend
● Pluggable architecture
● SQL
● Users are managed by Keystone
● Settings for connecting to a database are handled in keystone.conf file
● Essentially, Keystone is acting as an identity provider
● LDAP (Lightweight Directory Active Protocol)
● Storage and retrieval of Users/Groups info via LDAP
● Keystone will access the LDAP just like any other application that uses the
LDAP (System Login, Email, Web Application, etc.)
● Keystone does not act as an identity provider
● Memcached
● Free and open source, high-performance, distributed memory object
caching system
Tokens
● All tokens have a payload wrapped in some transport format
● Payload
● Attributes such as uniqueness, identity and authorization
● Transport format
● Necessary package for transmission and validation. Must be URL-
friendly
● Token expiration time/life span is configurable in
keystone.conf
Token formats - UUID
● UUID - Universally Unique Identifier
● Randomly generated UUID4 values that provide nothing more than
uniqueness. Looks like a 32 character string.
● Payload
● UUID4
● Format
● Hexadecimal
● Pros
● Better user experience
● Cons
● Goes back to keystone server for validation
● E.g:
● 53f7f6ef0cc344b5be706bcc8b1479e1
Token formats - PKI/PKIZ
● PKI - Public Key Infrastructure
● PKI and PKIZ tokens are nearly identical (and in fact share the same
payload), but PKIZ tokens add compression to the mix
● Payload
● JSON response that would normally be produced as a result of online
token validation
● Format
● CMS (Cryptographic Message Syntax) + [zlib] + base64
● Pros
● Does not go back to keystone for validation
● Cons
● Complex to setup
● E.g
● MIIKtgYJKoZIhvcNAQcCoIIKpzCCCqMCAQExCTAHBgUrDgMCGjCCCY8GCSqGSIb3DQEHAaCCCYAEggl8eyJhY2Nlc3MiOiB7InRva2VuIj
oMFQxNTo1MjowNi43MzMxOTgiLCAiZXhwaXJlcyI6ICIyMDEzLTA1LTMxVDE1OjUyOjA2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW
5bCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYzJjNTliNGQzZDI4NGQ4ZmEwOWYxNjljYjE4MDBlMDYiLCAibmFtZSI6ICJkZW1vIn19L
Cb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC4yNy4xMDA6OD
http://docs.openstack.org/admin-guide/keystone_certificates_for_pki.html
Identity v3 API
● python-keystoneclient doesn't expose v3 functionalities but
python-openstackclient does.
● Term “tenant” is officially replaced with “project”
● New features/concepts:
● Domains
● A high-level container for projects
● Groups
● A container representing a collection of users
● Federation authentication
Useful links
● Current (v3) API
● http://developer.openstack.org/api-ref/identity/v3/
● Source code
● https://github.com/openstack/keystone
● Blueprints
● https://blueprints.launchpad.net/keystone
● Bugs
● https://bugs.launchpad.net/keystone/+bugs
● Code Review
● https://review.openstack.org/#/q/project:+openstack/keystone
Lab session
CLI commands
● Let’s use OpenStack-client for this lab!
● python-keystoneclient only supports v2 API and not v3
● Verify Keystone service is running
● $ sudo pgrep -l apache2
● Admin endpoint
● $ sudo lsof -i | grep 35357
● Non-admin endpoint
● $ sudo lsof -i | grep 5000
● Source as a admin (user) of admin (project)
● Check the auth_url
● $ printenv | grep OS_
● Get a token
● $ openstack token issue
● Show usage of debug command and explain about
● $ openstack --debug cinder list
● Review “X-Auth-Token” and why it is SHA1 encrypted
● Openstack help command
● $ openstack help
CLI commands - continued
● Source as a admin (user) of admin (project)
● Endpoint
● $ openstack endpoint list and $ openstack endpoint show <ENDPOINT-ID or NAME>
● Service
● $ openstack service list and $ openstack service show <SERVICE-ID or NAME>
● Project
● $ openstack project list and $ openstack project show <PROJECT-ID or NAME>
● User
● $ openstack user list and $ openstack user show <USER-ID or NAME>
● $ openstack user role list
● $ openstack user create <NEW-USER-NAME>
● $ openstack user delete <NAME>
● Role
● $ openstack role list and $ openstack role show <ROLE-ID or NAME>
● Source as a demo (user) of demo (project)
● Try some of the above commands and see it doesn’t work!
● List services in the service catalog
● $ openstack catalog list and $ openstack catalog show <CATALOG-ID or NAME>
● Try creating a new user and see how it fails. In fact list users itself fails.
● $ openstack user create <NEW-USER-NAME>
Advanced
● OpenStack Keystone installation and manually configuring
other services
● https://www.youtube.com/watch?v=0jNdlSBm1JA
OR
● https://www.youtube.com/watch?v=BGsCErR9A2s
Thank You!

More Related Content

What's hot

[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesThe {code} Team
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operatorsJ On The Beach
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesAdam Hamsik
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Writing the Container Network Interface(CNI) plugin in golang
Writing the Container Network Interface(CNI) plugin in golangWriting the Container Network Interface(CNI) plugin in golang
Writing the Container Network Interface(CNI) plugin in golangHungWei Chiu
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchAll Things Open
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Vietnam Open Infrastructure User Group
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron) CREATE-NET
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideBytemark
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Kubernetes Workshop
Kubernetes WorkshopKubernetes Workshop
Kubernetes Workshoploodse
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Ceilometer to Gnocchi
Ceilometer to GnocchiCeilometer to Gnocchi
Ceilometer to GnocchiGordon Chung
 

What's hot (20)

[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 
Everything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in KubernetesEverything You Need To Know About Persistent Storage in Kubernetes
Everything You Need To Know About Persistent Storage in Kubernetes
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
An intro to Kubernetes operators
An intro to Kubernetes operatorsAn intro to Kubernetes operators
An intro to Kubernetes operators
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetes
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Writing the Container Network Interface(CNI) plugin in golang
Writing the Container Network Interface(CNI) plugin in golangWriting the Container Network Interface(CNI) plugin in golang
Writing the Container Network Interface(CNI) plugin in golang
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron)
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Kubernetes Workshop
Kubernetes WorkshopKubernetes Workshop
Kubernetes Workshop
 
01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Ceilometer to Gnocchi
Ceilometer to GnocchiCeilometer to Gnocchi
Ceilometer to Gnocchi
 

Viewers also liked

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
openstack keystone
openstack keystoneopenstack keystone
openstack keystoneYong Luo
 
Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture   openstack summit va...Deep dive into highly available open stack architecture   openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Arthur Berezin
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 

Viewers also liked (7)

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
 
openstack keystone
openstack keystoneopenstack keystone
openstack keystone
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
 
Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture   openstack summit va...Deep dive into highly available open stack architecture   openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
 

Similar to OpenStack Keystone

OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )Mari Kupatadze
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005	Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005	Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsCisco DevNet
 
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSCRMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSCClément OUDOT
 
airflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxVIJAYAPRABAP
 
Sprint 45 review
Sprint 45 reviewSprint 45 review
Sprint 45 reviewManageIQ
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Leadex Systems
 
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Brian Brazil
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For ArchitectsKevin Brockhoff
 
airflow web UI and CLI.pptx
airflow web UI and CLI.pptxairflow web UI and CLI.pptx
airflow web UI and CLI.pptxVIJAYAPRABAP
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireSimon J Mudd
 
Swarm: Native Docker Clustering
Swarm: Native Docker ClusteringSwarm: Native Docker Clustering
Swarm: Native Docker ClusteringRoyee Tager
 
AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...Luciano Mammino
 

Similar to OpenStack Keystone (20)

OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005	Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005	Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
 
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSCRMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
 
airflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptx
 
Sprint 45 review
Sprint 45 reviewSprint 45 review
Sprint 45 review
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021
 
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
 
airflow web UI and CLI.pptx
airflow web UI and CLI.pptxairflow web UI and CLI.pptx
airflow web UI and CLI.pptx
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve Martinelli
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the Wire
 
Swarm: Native Docker Clustering
Swarm: Native Docker ClusteringSwarm: Native Docker Clustering
Swarm: Native Docker Clustering
 
AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...
 
Api presentation
Api presentationApi presentation
Api presentation
 

OpenStack Keystone

  • 1. OpenStack Identity Service Codename: Keystone Deepti Ramakrishna Software Engineer, Intel
  • 2. What is Keystone? ● Keystone is the identity service used by OpenStack for ● Authentication (authN) ● Authorization (authZ) ● What is the difference between the two? ● Identity service has two primary functions: ● User management ● Service catalog ● In general deployment cases, Keystone will be the first service to be installed
  • 3. Keystone terminologies ● User ● Users are digital representations of a person, system, or service ● Project/Tenant ● A project is a group used to isolate resources and/or users ● Credentials ● Credentials are data known only by a specific user which proves his or her identity ● E.g: username and password, an authentication token ● Token ● A token is an arbitrary bit of text used to access resources ● Each token has a scope describing accessible resources ● A token may be revoked at any time and is valid for a finite duration
  • 4. Keystone terminologies - continued ● Role ● Set of assigned user rights and privileges for performing a specific set of operations ● A user token issued by Keystone includes a list of that user’s roles. Services then determine how to interpret those roles. ● Endpoint ● An endpoint is a network-accessible address, usually described by URL, from which services are accessed. ● Service ● An OpenStack service, such as Compute (Nova), Object Storage (Swift), or Image Service (Glance) which provides one or more endpoints through which users can access resources and perform operations. ● Service catalog = Services list + Endpoints
  • 5. Uses of Identity API ● As a User: ● Get a token ● Get the service catalog ● As an admin: ● Define ● Users ● Projects ● Roles ● Roles for users on a project (RBAC - Role Based Access Control) ● Services, endpoints for services ● As a service: ● Validate a token ● Tracks what services are installed and where to locate them on the network ● Get a trust to impersonate user http://www.slideshare.net/SteveMartinelli1/openstack-toronto-meetup-keystone-101
  • 8. Identity backend ● Pluggable architecture ● SQL ● Users are managed by Keystone ● Settings for connecting to a database are handled in keystone.conf file ● Essentially, Keystone is acting as an identity provider ● LDAP (Lightweight Directory Active Protocol) ● Storage and retrieval of Users/Groups info via LDAP ● Keystone will access the LDAP just like any other application that uses the LDAP (System Login, Email, Web Application, etc.) ● Keystone does not act as an identity provider ● Memcached ● Free and open source, high-performance, distributed memory object caching system
  • 9. Tokens ● All tokens have a payload wrapped in some transport format ● Payload ● Attributes such as uniqueness, identity and authorization ● Transport format ● Necessary package for transmission and validation. Must be URL- friendly ● Token expiration time/life span is configurable in keystone.conf
  • 10. Token formats - UUID ● UUID - Universally Unique Identifier ● Randomly generated UUID4 values that provide nothing more than uniqueness. Looks like a 32 character string. ● Payload ● UUID4 ● Format ● Hexadecimal ● Pros ● Better user experience ● Cons ● Goes back to keystone server for validation ● E.g: ● 53f7f6ef0cc344b5be706bcc8b1479e1
  • 11. Token formats - PKI/PKIZ ● PKI - Public Key Infrastructure ● PKI and PKIZ tokens are nearly identical (and in fact share the same payload), but PKIZ tokens add compression to the mix ● Payload ● JSON response that would normally be produced as a result of online token validation ● Format ● CMS (Cryptographic Message Syntax) + [zlib] + base64 ● Pros ● Does not go back to keystone for validation ● Cons ● Complex to setup ● E.g ● MIIKtgYJKoZIhvcNAQcCoIIKpzCCCqMCAQExCTAHBgUrDgMCGjCCCY8GCSqGSIb3DQEHAaCCCYAEggl8eyJhY2Nlc3MiOiB7InRva2VuIj oMFQxNTo1MjowNi43MzMxOTgiLCAiZXhwaXJlcyI6ICIyMDEzLTA1LTMxVDE1OjUyOjA2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW 5bCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYzJjNTliNGQzZDI4NGQ4ZmEwOWYxNjljYjE4MDBlMDYiLCAibmFtZSI6ICJkZW1vIn19L Cb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC4yNy4xMDA6OD http://docs.openstack.org/admin-guide/keystone_certificates_for_pki.html
  • 12. Identity v3 API ● python-keystoneclient doesn't expose v3 functionalities but python-openstackclient does. ● Term “tenant” is officially replaced with “project” ● New features/concepts: ● Domains ● A high-level container for projects ● Groups ● A container representing a collection of users ● Federation authentication
  • 13. Useful links ● Current (v3) API ● http://developer.openstack.org/api-ref/identity/v3/ ● Source code ● https://github.com/openstack/keystone ● Blueprints ● https://blueprints.launchpad.net/keystone ● Bugs ● https://bugs.launchpad.net/keystone/+bugs ● Code Review ● https://review.openstack.org/#/q/project:+openstack/keystone
  • 15. CLI commands ● Let’s use OpenStack-client for this lab! ● python-keystoneclient only supports v2 API and not v3 ● Verify Keystone service is running ● $ sudo pgrep -l apache2 ● Admin endpoint ● $ sudo lsof -i | grep 35357 ● Non-admin endpoint ● $ sudo lsof -i | grep 5000 ● Source as a admin (user) of admin (project) ● Check the auth_url ● $ printenv | grep OS_ ● Get a token ● $ openstack token issue ● Show usage of debug command and explain about ● $ openstack --debug cinder list ● Review “X-Auth-Token” and why it is SHA1 encrypted ● Openstack help command ● $ openstack help
  • 16. CLI commands - continued ● Source as a admin (user) of admin (project) ● Endpoint ● $ openstack endpoint list and $ openstack endpoint show <ENDPOINT-ID or NAME> ● Service ● $ openstack service list and $ openstack service show <SERVICE-ID or NAME> ● Project ● $ openstack project list and $ openstack project show <PROJECT-ID or NAME> ● User ● $ openstack user list and $ openstack user show <USER-ID or NAME> ● $ openstack user role list ● $ openstack user create <NEW-USER-NAME> ● $ openstack user delete <NAME> ● Role ● $ openstack role list and $ openstack role show <ROLE-ID or NAME> ● Source as a demo (user) of demo (project) ● Try some of the above commands and see it doesn’t work! ● List services in the service catalog ● $ openstack catalog list and $ openstack catalog show <CATALOG-ID or NAME> ● Try creating a new user and see how it fails. In fact list users itself fails. ● $ openstack user create <NEW-USER-NAME>
  • 17. Advanced ● OpenStack Keystone installation and manually configuring other services ● https://www.youtube.com/watch?v=0jNdlSBm1JA OR ● https://www.youtube.com/watch?v=BGsCErR9A2s