Recommended
Recommended
More Related Content
What's hot
What's hot (10)
Similar to OpenStack Keystone Pike Project Update
Similar to OpenStack Keystone Pike Project Update (20)
Recently uploaded
Recently uploaded (20)
OpenStack Keystone Pike Project Update
- 1. Pike Project Update Lance Bragstad (@LanceBragstad) Colleen Murphy (@_colleenm)
- 2. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky
- 3. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky
- 4. What is OpenStack Identity? a shared service for authentication, authorization, and auditing supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate
- 5. What is OpenStack Identity? a shared service for authentication, authorization, and auditing supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate
- 6. What is OpenStack Identity? a shared service for authentication, authorization, and auditing supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate
- 7. What is OpenStack Identity? a shared service for authentication, authorization, and auditing supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate
- 8. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky
- 9. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing
- 10. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing
- 11. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing
- 12. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing
- 13. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing
- 14. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing
- 15. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing
- 16. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing
- 17. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky
- 18. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests
- 19. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests
- 20. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests
- 21. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests
- 22. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests
- 23. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests
- 24. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky
- 25. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing
- 26. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing
- 27. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing
- 28. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing
- 29. "Practice the 101 Percent Principle. Whenever possible, find the 1 percent you do agree on in a difficult situation, and give it 100 percent of your effort." John Maxwell
- 30. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing
- 31. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing
- 32. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing
- 33. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing
Editor's Notes
- (Lance)
- (Lance) Intended Audience: Operators Product people People I'm not expecting to attend: Developers (I think the list of developers in attendance is going to be ultra short) Approach the entire presentation with the end state of Operators and Product people at the forefront. What do operators want to know? What is changing that will impact how I operator/use keystone? Is there anything new that will allow me automate things? Is there anything I'm using now that might be going away soon? Why is it going away? What do product people to know? What is going to get my existing customer base excited? Is there anything new compliance-wise that I can use to net new customers? What usability improvements have been made? Don't start with credentials or facts and figures. Start with a story if possible/applicable. https://www.youtube.com/watch?v=e80BbX05D7Y
- (Colleen; 2 - 4 minutes)
- (Colleen)
- (Colleen)
- (Colleen)
- (Colleen) We could say we have a 98% adoption rate within OpenStack deployments as of the last User Survey (which came out recently - this might help give attendees a frame of reference as to when the metric was taken) The first email I got about the user survey was from Heidi (from the Foundation) in February.
- (Colleen; 5 - 7 minutes)
- (Colleen; 5 - 7 minutes)
- (Colleen; 5 - 7 minutes) For a long time operators have had the problem of needing to run long-running operations that involve service-to-service communication, and in the middle of the operation the user's keystone token would expire, causing the services to reject the token and interrupt the operation. People were working around this by increasing the lifetime of tokens but that doesn't always work and longer token lifetimes are inherently less secure. We've eased the problem by allowing services to present users' just-expired tokens in conjunction with special service tokens to other services so that when a user starts a job with a valid token the token can be used to finish the job.
- (Colleen; 5 - 7 minutes) Traditional UUID tokens were stored in a database Fernet tokens were introduced in kilo, non-persistent format means no replication across clusters, improved scalability, lower database traffic, easier database management with positive feedback from operators at the Austin summit we made them the default
- (Colleen; 5 - 7 minutes) The work that we did making fernet ready to be the default token provider forced us to really think about how we were dealing with tokens and in the process of simplifying how tokens are validated we were able to clean up a lot of unnecessary revocation events and help reduce the flood of notifications
- (Colleen; 5 - 7 minutes) In previous cycles we added account controls so that operators could satisfy PCI Data Security Standards. This cycle we built on that work to make it easier to use, by creating an API for password requirements so that tools like horizon could easily query, display, and validate password complexity requirements creating an API that enables tooling for admins to search for users with expired passwords. enhancing PCI-related notifications with reasons for the notifications (example: user is locked out for too many failed auth attempts) Samuel’s talk is on Thursday at 4:10 PM Hynes Convention Center - Level 3 - MR 311. This should be promoted since he'll be talking about PCI and it will serve as a good presentation for folks interested in it. A lot of it will relate to the Ocata release. https://www.openstack.org/summit/boston-2017/summit-schedule/events/18281/security-hardening-pci-dss-and-security-compliance-within-keystone
- (Colleen; 5 - 7 minutes) We now have the ability to enhance user account security by requiring multiple authentication mechanisms on a per-user basis, such as password plus time-based one-time passcode We avoided adding this for a while because we pushed the responsibility onto external identity services, but users wanted this feature for non-federated users
- (Colleen; 5 - 7 minutes) There used to be no straightforward way to assign federated users roles in projects, now we're able to use mapping rules to link users to projects before they've logged in and even have projects created automatically created for them
- (Colleen; 5 - 7 minutes) We're making the v3 API the default in our integration gate testing v3 == the domain-aware API hard-coded assumptions have made this hard going to ensure stability in this API version and get us further down the road of deprecating the v2 API
- (Lance; 5 - 7 minutes)
- (Lance; 5 - 7 minutes)
- (Lance; 5 - 7 minutes)
- (Lance; 5 - 7 minutes)
- (Lance; 5 - 7 minutes) think nova and neutron resource tags implemented according to the API WG guidelines
- (Lance; 5 - 7 minutes) framework for integration testing is in place now we need to build out the coverage
- (Lance; 5 - 7 minutes) rolling upgrades have been around since newton last thing we need to do to assert the rolling upgrade tag
- (Lance; 5 - 7 minutes)
- (Lance; 5 - 7 minutes)
- (Lance; 5 - 7 minutes) OpenStack has evolved over the last 5 years, policy hasn't Provide better defaults upstream
- (Lance; 5 - 7 minutes) Today we violate the principle of least privilege Fixing policy is going to be an OpenStack-wide effort Outline to roadmap so we can work on policy together Per API Role Based Access Control with Adam and Kristi Tomorrow at 4:30 in the convention center room 311
- (Lance; 5 - 7 minutes) Building on the unified limits approach Provides consistent quota usage across OpenStack
- (Lance) Policy and quotas have been problems across OpenStack for a long time We're finally making progress as a group Finding the actual things we agree on Focusing on the things we have in common instead of conflict
- (Lance; 5 - 7 minutes) Specification has been proposed Result of decoupling authentication from your identity Native API key support is a possible next step Improved security
- (Lance; 5 - 7 minutes) Bring up a use case here (like domain admin) to make this easier for folks to understand. This would make it so keystone doesn't need new configs when adding new identity providers. Instead a domain admin could add new identity providers via the API. Domain admin case
- (Lance; 5 - 7 minutes) federation ldap local sql users seamless experience
- (Lance; 5 - 7 minutes) Performance and integration are things we care about Continued theme moving forward now that we have the framework
- (Lance; leave 10 minutes) Time to take comments and questions.