Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Openstack Keystone

6,437 views

Published on

Published in: Technology

Openstack Keystone

  1. 1. Openstack Keystone: Deep Dive & Coming Attractions Adam Young Senior Software Engineer, Cloud Red Hat July 24th, 20121 Presenter: Adam Young
  2. 2. Agenda ● Overview ● Code Layout ● Tokens ● Folsom Blueprints2 Presenter: Adam Young
  3. 3. Openstack Overview3 Presenter: Adam Young
  4. 4. Keystone: Identity Management Server4 Presenter: Adam Young
  5. 5. Keystone Domain Model5 Presenter: Adam Young
  6. 6. Code Layout6 Presenter: Adam Young
  7. 7. WSGI Mapping7 Presenter: Adam Young
  8. 8. Contrib ● Authorization Mechanism ● EC2 -> Token ● S3 -> Token ● Swift ● CRUD ● Admin ● Services ● Endpoints ● Roles ● User: ● Change Password8 Presenter: Adam Young
  9. 9. Persistence Backends ● KVS: Key Value Store ● In Memory ● Memcached ● SQL ● SQLite and MySQL ● PostGRES WIP ● LDAP ● Identity only ● Start for Active Directory9 Presenter: Adam Young
  10. 10. Tokens ● UUID ● Stored in DB ● Verified Online ● Shared Secret10 Presenter: Adam Young
  11. 11. Token: Request11 Presenter: Adam Young
  12. 12. Token: Authenticated12 Presenter: Adam Young
  13. 13. Token:Request for Service13 Presenter: Adam Young
  14. 14. Token: Verification14 Presenter: Adam Young
  15. 15. Token:Verified15 Presenter: Adam Young
  16. 16. Token: Response from Service16 Presenter: Adam Young
  17. 17. Auth Token Middleware17 Presenter: Adam Young
  18. 18. EC2 Token Middleware18 Presenter: Adam Young
  19. 19. Tokens: Pros and Cons ● Pros ● Instantly Revocable ● Small (ish) ● Cons ● Needs network to verify ● Keystone becomes chokepoint ● Is UUID Random Chattiest Part of Openstack19 Presenter: Adam Young
  20. 20. Folsom Blueprints20 Presenter: Adam Young
  21. 21. Keystone API V3 ● Emphasize URLS: fully Qualified Resource Location ● Rename Tenants back to Projects ● Clear associations between projects, users and credentials ● Policy implementation specific API ● Many Aspects Deferred ● Priority for Grizzly21 Presenter: Adam Young
  22. 22. PKIS Signed Tokens: Implementation ● Cryptographically Signed Text ● Crypto Message Syntax (SMIME) ● Contents of “Verify” ● Signed with Keystone Private Key ● Verified using ● OpenSSL ● Public Certificate ● Can also be verified using HTTP22 Presenter: Adam Young
  23. 23. PKI Signed Tokens: Crypto Commands ● Sign openssl cms -sign -in auth_token.json -nosmimecap -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts -noattr -out auth_token.signed ● Verify openssl cms -verify -in auth_token.signed -certfile cert.pem -out signedtext.txt -CAfile cacert.pem -inform DER23 Presenter: Adam Young
  24. 24. Token: Online Verification24 Presenter: Adam Young
  25. 25. Token: Offline Verification25 Presenter: Adam Young
  26. 26. Domains: ● ayoung@stoughton Vs ayoung@canton ● Currently One implicit domain ● Grant access from one domain to a ten^H^H^H project in another domain ● Finer grained administration ● True Multiple Tenancy26 Presenter: Adam Young
  27. 27. Policy/Role Based Access Control ● Replace “isAdmin” ● Currently in Nova ● Belongs in Keystone ● Register for service: ● Roles ● Capabilities ● Multiple Tenants and Roles ● Policy is in Keystone ● Enforcement is on the shoulders of Glance, Nova etc27 Presenter: Adam Young
  28. 28. Links http://keystone.openstack.org/ https://blueprints.launchpad.net/keystone/ https://docs.google.com/document/d/1VP-bTBbwsn6q- rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit28 Presenter: Adam Young
  29. 29. Image Attrbibutions● http://www.flickr.com/photos/jronaldlee/5216040554/lightbox/● http://th07.deviantart.net/fs70/PRE/i/2010/098/7/2/Robot_Blueprints_01_by_jordanoth.jpg● http://followinglesley.files.wordpress.com/2011/03/fake-ttc-tokens.jpg● http://commons.wikimedia.org/wiki/File:Scroll_Bridge_Keystone_-_geograph.org.uk_-_1299995.jpg● http://commons.wikimedia.org/wiki/File:Keystone_Grange_of_Barry_bridge_-_geograph.org.uk_-_395082.jpg● http://xkcd.com/378/● http://fc00.deviantart.net/fs51/f/2009/322/1/7/signed__sealed____by_kat013.jpg● http://th01.deviantart.net/fs71/PRE/f/2012/090/2/a/alnwick_castle_by_newcastlemale-d4uie0a.jpg● http://3.bp.blogspot.com/_V4w18ZWaPas/TN3LvAzfGEI/AAAAAAAAG_Y/YgnCvp9Na08/s1600/Fake-TTC-Tokens.jpg● http://en.wikipedia.org/wiki/File:Doorman.JPG 29 Presenter: Adam Young

×