What’s New In
OpenStack
Havana
Webcast
October 2013
OpenStack
Identity Service
Keystone
36
Keystone
Role-based Access Control (RBAC)

•  More granular policies
•  Can be based on aspects of the request such
as API...
Keystone
Role handling

•  Assign roles via OAuth 1.0a
•  Domain roles can be inherited from project
•  Group API

38
Keystone
Separate projects etc. from authentication

•  Projects, roles, etc. follow “assignments”
driver

•  Users, group...
Keystone
Token generation

•  Currently PKI or UUID
•  Can now be pluggable
•  keystone.token.provider.Provider interface ...
Keystone
Remote handling of authentication through
REMOTE_USER

•  Sent by the web server as an environment
variable

•  C...
Upcoming SlideShare
Loading in …5
×

What's new in Havana--Keystone

3,077 views

Published on

Part of the "What's New in Havana" Webinar, these slides show what's new in Keystone.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,077
On SlideShare
0
From Embeds
0
Number of Embeds
1,816
Actions
Shares
0
Downloads
35
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

What's new in Havana--Keystone

  1. 1. What’s New In OpenStack Havana Webcast October 2013
  2. 2. OpenStack Identity Service Keystone 36
  3. 3. Keystone Role-based Access Control (RBAC) •  More granular policies •  Can be based on aspects of the request such as API request parameters "identity:delete_user": [["role:admin", "domain_id:%(target.user.domain_id)s"]] 37
  4. 4. Keystone Role handling •  Assign roles via OAuth 1.0a •  Domain roles can be inherited from project •  Group API 38
  5. 5. Keystone Separate projects etc. from authentication •  Projects, roles, etc. follow “assignments” driver •  Users, groups, etc. follow “identity” driver •  Credentials follow “credentials” driver [identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment 39
  6. 6. Keystone Token generation •  Currently PKI or UUID •  Can now be pluggable •  keystone.token.provider.Provider interface can be custom implemented 40
  7. 7. Keystone Remote handling of authentication through REMOTE_USER •  Sent by the web server as an environment variable •  Can be disabled (remove "external" from plug-ins list) 41

×