SlideShare a Scribd company logo

Keystone deep dive 1

J
Jsonr4

Indian OpenStack User Group - June openstack meetup Keystone Deep Dive

Technology
1 of 25
Download to read offline
Openstack Keystone - Deep Dive Indian OpenStack User Group - Meetup Jaison Raju Senior Technical Support Engineer 18/06/17
Agenda ● Introduction to Identity Service ● Openstack Keystone Concepts ● Configuration ● Demo 1 ● Integration with IPA/ldap backend ● Demo 2
Introduction to Identity Service
Introduction to Identity Service
Openstack Keystone Concepts
Introduction to Identity Service
Keystone Concepts Actor (User and groups) Credentials Token Roles - Unique within domain Project - Unique within domain Domain Service Endpoints Region Catalog Assignment Policy
Services in keystone
Endpoint for each Service
Multi-Site deployment using Regions Region1 Region2
Authentication & Authorization
Openstack Keystone Architecture.
Configuration
Configuration file (keystone.conf) /etc/keystone/keystone.conf ● [DEFAULT] - General configuration ● [assignment] - Assignment system driver configuration ● [auth] - Authentication plugin configuration ● [cache] - Caching layer configuration ● [catalog] - Service catalog driver configuration ● [credential] - Credential system driver configuration ● [domain_config] - Domain configuration ● [endpoint_filter] - Endpoint filtering configuration ● [endpoint_policy] - Endpoint policy configuration ● [federation] - Federation driver configuration ● [fernet_tokens] - Fernet token configuration ● [identity] - Identity system driver configuration ● [identity_mapping] - Identity mapping system driver configuration ● [ldap] - LDAP configuration options
Configuration file (keystone.conf) /etc/keystone/keystone.conf ● [memcache] - Memcache configuration options ● [oauth1] - OAuth 1.0a system driver configuration ● [paste_deploy] - Pointer to the PasteDeploy configuration file ● [policy] - Policy system driver configuration for RBAC ● [resource] - Resource system driver configuration ● [revoke] - Revocation system driver configuration ● [role] - Role system driver configuration ● [saml] - SAML configuration options ● [security_compliance] - Security compliance configuration ● [shadow_users] - Shadow user configuration ● [signing] - Cryptographic signatures for PKI based tokens ● [token] - Token driver & token provider configuration ● [tokenless_auth] - Tokenless authentication configuration ● [trust] - Trust configuration
Demo 1
Demo1 ● Prepare devstack environment ● Create ○ User ○ Project ○ Domain ○ Role ○ Group ● Test authentication ● Test authorization
Integration with IPA / ldap backend
LDAP Integration for Identity ● # setsebool -P authlogin_nsswitch_use_ldap on ● Configure keystone.conf for multiple backends: ● Define the destination LDAP server in the /etc/keystone/keystone.conf file: [ldap] url = ldaps://ipa.india-1.local user = uid=svc-ldap,cn=users,cn=accounts,dc=india-1,dc=local user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=india-1,dc=local) password = <RedactedComplexPassword> user_tree_dn = cn=users,cn=accounts,dc=india-1,dc=local user_objectclass = inetUser user_id_attribute = uid user_name_attribute = uid user_mail_attribute = mail user_pass_attribute = user_allow_create = False user_allow_update = False user_allow_delete = False tls_cacertfile = /etc/ssl/certs/ca.crt group_tree_dn = ou=Groups,dc=india-1,dc=local group_objectclass = groupOfNames [identity] driver = keystone.identity.backends.ldap.Identity" [identity] domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains ● Configure LDAP server in the /etc/keystone/domains/keystone.<domain>.conf
Demo 2
Demo2 ● Create IPA container . ● Create required users / groups . ● Configure keystone to use ldap backend for identity for a specific domain. ● Test environment . docker run --privileged --net=bridge -v /var/lib/ipa-data:/data/ipa1/ipa-data -v /var/log:/data/ipa1/ipa-logs -v /sys/fs/cgroup:/sys/fs/cgroup:ro -h ipa.india-1.local --tmpfs /run --tmpfs /tmp -e IPA_SERVER_IP=172.17.0.1 -p 172.17.0.1:53:53/udp -p 172.17.0.1:53:53 -p 172.17.0.1:80:80 -p 172.17.0.1:443:443 -p 172.17.0.1:389:389 -p 172.17.0.1:636:636 -p 172.17.0.1:88:88 -p 172.17.0.1:464:464 -p 172.17.0.1:88:88/udp -p 172.17.0.1:464:464/udp -p 172.17.0.1:123:123/udp -p 172.17.0.1:7389:7389 -p 172.17.0.1:9443:9443 -p 172.17.0.1:9444:9444 -p 172.17.0.1:9445:9445 --name ipa-test -it ad085031fb10 ipa-server-install --realm=india-1.local --ds-password=redhat@123 --admin-password=redhat@321 --setup-dns --no-forwarders --no-host-dns --auto-reverse --allow-zone-overlap --no-dnssec-validation --debug -U
References ● Openstack developer page - https://docs.openstack.org/developer/keystone ● Openstack admin guide - https://docs.openstack.org/admin-guide/identity-management.html ● DevStack installation guide - https://docs.openstack.org/developer/devstack/guides/single-machine.html ● DevStack configuration guide - https://docs.openstack.org/developer/devstack/configuration.html
Getting involved ● IRC: Freenode@openstack-keystone ● Mailing list: openstack-dev@lists.openstack.org ● Keystone Project Page on Launchpad: https://launchpad.net/keystone ● Keystone Source Repository: https://git.openstack.org/cgit/openstack/keystone
THANK YOU google.com/+jasonraju https://www.linkedin.com/in/jaison-r aju-8518a045/ youtube.com/user/RedHatVideos @jsonr4 IRC jaison@Red hat, links@Freenode jraju@redhat.com
THANK YOU plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews

Recommended

OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directorycjellick
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 

Recommended

OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directorycjellick
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 
OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glanceopenstackstl
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation openstackindia
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone Kamesh Pemmaraju
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsMatthew Barker
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5rajdeep
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineeredopenstackindia
 
Openstack nova
Openstack novaOpenstack nova
Openstack novaMurali Boyapati
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-novaGHANSHYAM MANN
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
8 devstack beyond_hello-world
8 devstack beyond_hello-world8 devstack beyond_hello-world
8 devstack beyond_hello-worldopenstackindia
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Stephen Gordon
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGIMike Pittaro
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6WSO2
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 

More Related Content

What's hot

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsMatthew Barker
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5rajdeep
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineeredopenstackindia
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-novaGHANSHYAM MANN
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
8 devstack beyond_hello-world
8 devstack beyond_hello-world8 devstack beyond_hello-world
8 devstack beyond_hello-worldopenstackindia
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Stephen Gordon
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGIMike Pittaro
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 

What's hot (20)

OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glance
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - Highlights
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineered
 
Openstack nova
Openstack novaOpenstack nova
Openstack nova
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-nova
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
8 devstack beyond_hello-world
8 devstack beyond_hello-world8 devstack beyond_hello-world
8 devstack beyond_hello-world
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGI
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 

Similar to Keystone deep dive 1

What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6WSO2
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
Introduction to SQL Server on RHEL
Introduction to SQL Server on RHELIntroduction to SQL Server on RHEL
Introduction to SQL Server on RHELTakayoshi Tanaka
 
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)DECK36
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015Dave Stokes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsCloud Native Day Tel Aviv
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01SANE Ibrahima
 
What's new in Docker - InfraKit - Docker Meetup Berlin 2016
What's new in Docker - InfraKit - Docker Meetup Berlin 2016What's new in Docker - InfraKit - Docker Meetup Berlin 2016
What's new in Docker - InfraKit - Docker Meetup Berlin 2016Patrick Chanezon
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastJorge Lopez-Malla
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Craft CMS: Beyond the Small Business; Advanced tools and configurations
Craft CMS: Beyond the Small Business; Advanced tools and configurationsCraft CMS: Beyond the Small Business; Advanced tools and configurations
Craft CMS: Beyond the Small Business; Advanced tools and configurationsNate Iler
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator97148881557
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive Smita Raut
 
Sprint 45 review
Sprint 45 reviewSprint 45 review
Sprint 45 reviewManageIQ
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetesGigi Sayfan
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into RudderRUDDER
 
PaaSTA: Autoscaling at Yelp
PaaSTA: Autoscaling at YelpPaaSTA: Autoscaling at Yelp
PaaSTA: Autoscaling at YelpNathan Handler
 

Similar to Keystone deep dive 1 (20)

What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
Introduction to SQL Server on RHEL
Introduction to SQL Server on RHELIntroduction to SQL Server on RHEL
Introduction to SQL Server on RHEL
 
Cl212
Cl212Cl212
Cl212
 
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
What's new in Docker - InfraKit - Docker Meetup Berlin 2016
What's new in Docker - InfraKit - Docker Meetup Berlin 2016What's new in Docker - InfraKit - Docker Meetup Berlin 2016
What's new in Docker - InfraKit - Docker Meetup Berlin 2016
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Craft CMS: Beyond the Small Business; Advanced tools and configurations
Craft CMS: Beyond the Small Business; Advanced tools and configurationsCraft CMS: Beyond the Small Business; Advanced tools and configurations
Craft CMS: Beyond the Small Business; Advanced tools and configurations
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
 
Sprint 45 review
Sprint 45 reviewSprint 45 review
Sprint 45 review
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into Rudder
 
PaaSTA: Autoscaling at Yelp
PaaSTA: Autoscaling at YelpPaaSTA: Autoscaling at Yelp
PaaSTA: Autoscaling at Yelp
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 

Keystone deep dive 1

  • 1. Openstack Keystone - Deep Dive Indian OpenStack User Group - Meetup Jaison Raju Senior Technical Support Engineer 18/06/17
  • 2. Agenda ● Introduction to Identity Service ● Openstack Keystone Concepts ● Configuration ● Demo 1 ● Integration with IPA/ldap backend ● Demo 2
  • 7. Keystone Concepts Actor (User and groups) Credentials Token Roles - Unique within domain Project - Unique within domain Domain Service Endpoints Region Catalog Assignment Policy
  • 10. Multi-Site deployment using Regions Region1 Region2
  • 14. Configuration file (keystone.conf) /etc/keystone/keystone.conf ● [DEFAULT] - General configuration ● [assignment] - Assignment system driver configuration ● [auth] - Authentication plugin configuration ● [cache] - Caching layer configuration ● [catalog] - Service catalog driver configuration ● [credential] - Credential system driver configuration ● [domain_config] - Domain configuration ● [endpoint_filter] - Endpoint filtering configuration ● [endpoint_policy] - Endpoint policy configuration ● [federation] - Federation driver configuration ● [fernet_tokens] - Fernet token configuration ● [identity] - Identity system driver configuration ● [identity_mapping] - Identity mapping system driver configuration ● [ldap] - LDAP configuration options
  • 15. Configuration file (keystone.conf) /etc/keystone/keystone.conf ● [memcache] - Memcache configuration options ● [oauth1] - OAuth 1.0a system driver configuration ● [paste_deploy] - Pointer to the PasteDeploy configuration file ● [policy] - Policy system driver configuration for RBAC ● [resource] - Resource system driver configuration ● [revoke] - Revocation system driver configuration ● [role] - Role system driver configuration ● [saml] - SAML configuration options ● [security_compliance] - Security compliance configuration ● [shadow_users] - Shadow user configuration ● [signing] - Cryptographic signatures for PKI based tokens ● [token] - Token driver & token provider configuration ● [tokenless_auth] - Tokenless authentication configuration ● [trust] - Trust configuration
  • 17. Demo1 ● Prepare devstack environment ● Create ○ User ○ Project ○ Domain ○ Role ○ Group ● Test authentication ● Test authorization
  • 18. Integration with IPA / ldap backend
  • 19. LDAP Integration for Identity ● # setsebool -P authlogin_nsswitch_use_ldap on ● Configure keystone.conf for multiple backends: ● Define the destination LDAP server in the /etc/keystone/keystone.conf file: [ldap] url = ldaps://ipa.india-1.local user = uid=svc-ldap,cn=users,cn=accounts,dc=india-1,dc=local user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=india-1,dc=local) password = <RedactedComplexPassword> user_tree_dn = cn=users,cn=accounts,dc=india-1,dc=local user_objectclass = inetUser user_id_attribute = uid user_name_attribute = uid user_mail_attribute = mail user_pass_attribute = user_allow_create = False user_allow_update = False user_allow_delete = False tls_cacertfile = /etc/ssl/certs/ca.crt group_tree_dn = ou=Groups,dc=india-1,dc=local group_objectclass = groupOfNames [identity] driver = keystone.identity.backends.ldap.Identity" [identity] domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains ● Configure LDAP server in the /etc/keystone/domains/keystone.<domain>.conf
  • 21. Demo2 ● Create IPA container . ● Create required users / groups . ● Configure keystone to use ldap backend for identity for a specific domain. ● Test environment . docker run --privileged --net=bridge -v /var/lib/ipa-data:/data/ipa1/ipa-data -v /var/log:/data/ipa1/ipa-logs -v /sys/fs/cgroup:/sys/fs/cgroup:ro -h ipa.india-1.local --tmpfs /run --tmpfs /tmp -e IPA_SERVER_IP=172.17.0.1 -p 172.17.0.1:53:53/udp -p 172.17.0.1:53:53 -p 172.17.0.1:80:80 -p 172.17.0.1:443:443 -p 172.17.0.1:389:389 -p 172.17.0.1:636:636 -p 172.17.0.1:88:88 -p 172.17.0.1:464:464 -p 172.17.0.1:88:88/udp -p 172.17.0.1:464:464/udp -p 172.17.0.1:123:123/udp -p 172.17.0.1:7389:7389 -p 172.17.0.1:9443:9443 -p 172.17.0.1:9444:9444 -p 172.17.0.1:9445:9445 --name ipa-test -it ad085031fb10 ipa-server-install --realm=india-1.local --ds-password=redhat@123 --admin-password=redhat@321 --setup-dns --no-forwarders --no-host-dns --auto-reverse --allow-zone-overlap --no-dnssec-validation --debug -U
  • 22. References ● Openstack developer page - https://docs.openstack.org/developer/keystone ● Openstack admin guide - https://docs.openstack.org/admin-guide/identity-management.html ● DevStack installation guide - https://docs.openstack.org/developer/devstack/guides/single-machine.html ● DevStack configuration guide - https://docs.openstack.org/developer/devstack/configuration.html
  • 23. Getting involved ● IRC: Freenode@openstack-keystone ● Mailing list: openstack-dev@lists.openstack.org ● Keystone Project Page on Launchpad: https://launchpad.net/keystone ● Keystone Source Repository: https://git.openstack.org/cgit/openstack/keystone