Openstack Keystone

5,798 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,798
On SlideShare
0
From Embeds
0
Number of Embeds
199
Actions
Shares
0
Downloads
295
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Openstack Keystone

  1. 1. Openstack Keystone: Deep Dive & Coming Attractions Adam Young Senior Software Engineer, Cloud Red Hat July 24th, 20121 Presenter: Adam Young
  2. 2. Agenda ● Overview ● Code Layout ● Tokens ● Folsom Blueprints2 Presenter: Adam Young
  3. 3. Openstack Overview3 Presenter: Adam Young
  4. 4. Keystone: Identity Management Server4 Presenter: Adam Young
  5. 5. Keystone Domain Model5 Presenter: Adam Young
  6. 6. Code Layout6 Presenter: Adam Young
  7. 7. WSGI Mapping7 Presenter: Adam Young
  8. 8. Contrib ● Authorization Mechanism ● EC2 -> Token ● S3 -> Token ● Swift ● CRUD ● Admin ● Services ● Endpoints ● Roles ● User: ● Change Password8 Presenter: Adam Young
  9. 9. Persistence Backends ● KVS: Key Value Store ● In Memory ● Memcached ● SQL ● SQLite and MySQL ● PostGRES WIP ● LDAP ● Identity only ● Start for Active Directory9 Presenter: Adam Young
  10. 10. Tokens ● UUID ● Stored in DB ● Verified Online ● Shared Secret10 Presenter: Adam Young
  11. 11. Token: Request11 Presenter: Adam Young
  12. 12. Token: Authenticated12 Presenter: Adam Young
  13. 13. Token:Request for Service13 Presenter: Adam Young
  14. 14. Token: Verification14 Presenter: Adam Young
  15. 15. Token:Verified15 Presenter: Adam Young
  16. 16. Token: Response from Service16 Presenter: Adam Young
  17. 17. Auth Token Middleware17 Presenter: Adam Young
  18. 18. EC2 Token Middleware18 Presenter: Adam Young
  19. 19. Tokens: Pros and Cons ● Pros ● Instantly Revocable ● Small (ish) ● Cons ● Needs network to verify ● Keystone becomes chokepoint ● Is UUID Random Chattiest Part of Openstack19 Presenter: Adam Young
  20. 20. Folsom Blueprints20 Presenter: Adam Young
  21. 21. Keystone API V3 ● Emphasize URLS: fully Qualified Resource Location ● Rename Tenants back to Projects ● Clear associations between projects, users and credentials ● Policy implementation specific API ● Many Aspects Deferred ● Priority for Grizzly21 Presenter: Adam Young
  22. 22. PKIS Signed Tokens: Implementation ● Cryptographically Signed Text ● Crypto Message Syntax (SMIME) ● Contents of “Verify” ● Signed with Keystone Private Key ● Verified using ● OpenSSL ● Public Certificate ● Can also be verified using HTTP22 Presenter: Adam Young
  23. 23. PKI Signed Tokens: Crypto Commands ● Sign openssl cms -sign -in auth_token.json -nosmimecap -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts -noattr -out auth_token.signed ● Verify openssl cms -verify -in auth_token.signed -certfile cert.pem -out signedtext.txt -CAfile cacert.pem -inform DER23 Presenter: Adam Young
  24. 24. Token: Online Verification24 Presenter: Adam Young
  25. 25. Token: Offline Verification25 Presenter: Adam Young
  26. 26. Domains: ● ayoung@stoughton Vs ayoung@canton ● Currently One implicit domain ● Grant access from one domain to a ten^H^H^H project in another domain ● Finer grained administration ● True Multiple Tenancy26 Presenter: Adam Young
  27. 27. Policy/Role Based Access Control ● Replace “isAdmin” ● Currently in Nova ● Belongs in Keystone ● Register for service: ● Roles ● Capabilities ● Multiple Tenants and Roles ● Policy is in Keystone ● Enforcement is on the shoulders of Glance, Nova etc27 Presenter: Adam Young
  28. 28. Links http://keystone.openstack.org/ https://blueprints.launchpad.net/keystone/ https://docs.google.com/document/d/1VP-bTBbwsn6q- rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit28 Presenter: Adam Young
  29. 29. Image Attrbibutions● http://www.flickr.com/photos/jronaldlee/5216040554/lightbox/● http://th07.deviantart.net/fs70/PRE/i/2010/098/7/2/Robot_Blueprints_01_by_jordanoth.jpg● http://followinglesley.files.wordpress.com/2011/03/fake-ttc-tokens.jpg● http://commons.wikimedia.org/wiki/File:Scroll_Bridge_Keystone_-_geograph.org.uk_-_1299995.jpg● http://commons.wikimedia.org/wiki/File:Keystone_Grange_of_Barry_bridge_-_geograph.org.uk_-_395082.jpg● http://xkcd.com/378/● http://fc00.deviantart.net/fs51/f/2009/322/1/7/signed__sealed____by_kat013.jpg● http://th01.deviantart.net/fs71/PRE/f/2012/090/2/a/alnwick_castle_by_newcastlemale-d4uie0a.jpg● http://3.bp.blogspot.com/_V4w18ZWaPas/TN3LvAzfGEI/AAAAAAAAG_Y/YgnCvp9Na08/s1600/Fake-TTC-Tokens.jpg● http://en.wikipedia.org/wiki/File:Doorman.JPG 29 Presenter: Adam Young

×