Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Keystone - Openstack Identity Service

Introduction to OpenStack Identity services

  • Be the first to comment

Keystone - Openstack Identity Service

  1. 1. Keystone OpenStack Identity Service Prasad Mukhedkar Red Hat Technical Support Team
  2. 2. Agenda Introduction Identity Concept in Openstack - Project - Domains - Actors (Groups and Users) - Service Catalogs - Identity Providers (Multi Backend) Tokens - UUID - PKI (PKIz) - Fernet Troubleshooting - Logs, Enabling Debug - Most common Problems Hands-On Lab - Keystone Basic Operations - Keystone Integration with Active Directory Server for authentication.
  3. 3. So where does OpenStack begin and end? User Perspective cloud GUI or CLI Architecture Perspective API endpoints
  4. 4. Many OpenStack Services, Many API Endpoints! How to authenticate them? Who will manage the authorization? How will I come to know what is the endpoint of the service that I want to access? Example Nova? Openstack Keystone Service. "Keystone provides Identity, Token, Catalog and Policy services for use specifically by projects in the OpenStack family.“
  5. 5. Openstack Keystone Architecture.
  6. 6. Keystone API Getting Token : Getting endpoint of nova : Call the Nova AP :
  7. 7. Keystone Concepts Identity Management Actor (User and groups) Credentials Token Project Domain Service Catalog Services Endpoints Rules
  8. 8. Identity Management : Actors In the Keystone realm, Users and User Groups are the entities given access to resour‐ ces that are isolated in Domains and Projects. Groups are a collection of Users. Users are individuals who will end up using your cloud. We refer to Users and Groups as Actors since, when assigning a role, these are the entities to which the role is “assigned to.
  9. 9. Identity Management : Project - In Keystone, a Project is an abstraction used by other OpenStack services to group and isolate resources (e.g., servers, images, etc.). - Earlier known as Tenant - Projects themselves don’t own Users, but Users or User Groups are given access to a Project using the concept of Role Assignments.
  10. 10. Identity Management : Domain Keystone v3 feature that provide mechanism to limit the visibility of Projects to different user organizations. For example, a cloud could have two domains, IBM and Red Hat . IBM has their own collection of groups, users, and projects and so does Red Hat.
  11. 11. Identity Management: Tokens : An arbitrary bit of test taht is used to access resources. Each token has a scope which described which resources are accessible with it. There are four types of token that you can use with OpenStack. "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider".
  12. 12. Tokens : UUID Pros : - Simplest and Most Light Weight - The UUID token is simply a randomly generated UUID 32-character string (Version 4 UUID ) getuuid - The token is extremely small and easy to use when accessing Keystone through a cURL command. Cons : -Server side validation (Disadvantage with this token format is that Keystone can become a bottleneck due to the tremendous amount of communication that occurs when Keystone is needed to validate the token.) - Revoked tokens are not removed from the database. Need to manually flush the database. "keystone-manage token_flush"
  13. 13. Token : PKI/PKIz These are Cryptographically Encrypted Signed Document using X509 Standards. Heavy weight as the contain contains the entire validation response that would be received from Keystone. - Expiry Date - user identification - Role information - service catalog - other information like region Pros : - Client side validation. Cons : - Complex to setup (Need Cerificates issued from CA) - Extremely Large (Size can break the web performance) - Persisted in database. (Need to manually flush the database.)
  14. 14. Token : Fernet Token Fernet Token : The newest Keystone token format is the Fernet token format. The Fernet token attempts to improve on previous token formats in a variety of ways. Pros : - Small footprint, 255 characters. (larger than UUID tokens, but significantly smaller than PKI) - Not stored in persistant backend. Cons : - Service side validation - Fernet tokens use symmetric keys to sign the token, nnd these keys need to be distributed to the various OpenStack regions.
  15. 15. Service Catalog "serviceCatalog": [ "endpoints": [ { "adminURL": "http: //swift.admin-nets.local: 8080/", "region": "RegionOne", "internalURL": "http: // 8080/v1/AUTH_1", "publicURL": "http: //" The adminurl is for the admin users, (can see the all tenants and images ) internalurl are what the other services use to talk to each other And the publicurl is what everyone else accessing the service endpoint uses. SSL can also be enabled for the endpoints, However, Currently this configuration cannot be deployed by our installation and provisioning tool, RHELOSP-Director/Packstack. This need to be done manually post deployment.
  16. 16. Access Management and Authorization: Access Management and Authorization is achieved using " Roles + Policy" /etc/keystone/policy.json : The Policy service provides a rule-based authorization engine and the associated rule management interface.
  17. 17. Keystone v3 The Keystone v3 API introduces two significant Keystone features/concepts: Domains Groups Domains concept enables multi backed identity provider that simplfies keystone integration with external user directory services.
  18. 18. Configuration file (keystone.conf) /etc/keystone/keystone.conf [DEFAULT] - general configuration [sql] - optional storage backend configuration [ec2] - Amazon EC2 authentication driver configuration [s3] - Amazon S3 authentication driver configuration. [oauth1] - Oauth 1.0a system driver configuration [identity] - identity system driver configuration [catalog] - service catalog driver configuration [token] - token driver & token provider configuration [cache] - caching layer configuration [policy] - policy system driver configuration for RBAC [signing] - cryptographic signatures for PKI based tokens [ssl] - SSL configuration [auth] - Authentication plugin configuration [os_inherit] - Inherited Role Assignment extension [paste_deploy] - Pointer to the PasteDeploy configuration file
  19. 19. Running Keystone in HTTPD # openstack-status service | grep -i keystone == Keystone service == openstack-keystone: inactive (disabled on boot) - Packstack Configuration: # Name of service to use to run the Identity service (keystone, # httpd). CONFIG_KEYSTONE_SERVICE_NAME=httpd - Running Keystone in HTTPD
  20. 20. Token Authentication Flow
  21. 21. Keystone Troubleshooting Keystone Log file : /var/log/keystone Enabling Debug output: Set debug to True in the /etc/keystone/keystone.conf configuration file Raw # Print debugging output (set logging level to DEBUG instead # of default WARNING level). (boolean value) #debug=false debug=True - Debug keystone tokens : Access database #mysql MariaDB [(none)]> use keystone; MariaDB [keystone]> show tables; MariaDB [keystone]> show tables; +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | consumer | | credential | | domain | | endpoint | | endpoint_group | --------------------------
  22. 22. Thank You!