deep dive into keystone tokens and lessons learned
TRANSCRIPT
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai & Brad Pokorny
Deep Dive into Keystone Tokens and Lessons Learned
Who are we?
Priti DesaiAdvisory Software Engineer, IBM
Brad PokornyPrincipal Software Engineer, Symantec
What token format should we configure in our OpenStack Deployment?
Deep Dive into Keystone Tokens and Lessons Learned
Token Formats
UUID
PKI
PKIZ
Fernet
Deep Dive into Keystone Tokens and Lessons Learned
UUID
Deep Dive into Keystone Tokens and Lessons Learned
UUID
• Simplest and Most Light Weight
• Version 4 UUID
• Configuration in keystone.conf :
[token]
provider = keystone.token.providers.uuid.Provider
UUID – Token Generation Workflow
Keystone
KVS
Request Token with:• User Name• Password• Project Name
Identity Resources Assignment Catalog
User ValidationRetrieves User ID
Token
Project ValidationRetrieves Project ID and
Domain ID
Retrieves Roles for this User on the Project or
DomainReturns Failure if the
User does not have any Role
Retrieves Services and Endpoints for all the
services
Bundles Identity, Resource, Assignment, and Catalog
information into Token PayloadCreates Token ID :
uuid.uuid4().hex
Store them in SQL/KVS:• Token ID• Expiration• Valid• User ID• Extra
Token Generation Workflow
Deep Dive into Keystone Tokens and Lessons Learned
Sample UUID Token in SQL Backend
id: f10700e71ff045cbb850072a0bd6a4e6expires: 2015-10-08 21:18:43extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-08T21:18:43.995255Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["bI1EMzqUQM2sqFimOtIPpQ"], "issued_at": "2015-10-08T20:18:43.995284Z"}}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "key": "f10700e71ff045cbb850072a0bd6a4e6", "token_version": "v3.0", "tenant": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "metadata": {"roles": ["1688449cf1df44839b10a41e3d9b09dd"]}}valid: 1trust_id: NULLuser_id: 1334f3ed7eb2483b91b8192ba043b580
UUID – Keystone Token Validation Workflow
Parse Token and Retrieve Metadata
Validate Token with:
GET v3/auth/tokens• X-Subject-Token• X-Auth-Token Retrieves Token
payload from token backend KVS/SQL
Read cached token reference and parse:• User ID• Project ID• Audit ID• Token Expiry
TokenKVS
Valid?
Current Time < Expiry Time
Token Not Found
Token Not Found
Is Revoked?
Token Not Found
HTTP/1.1 200 OK
Yes
No
No
No
Yes
Yes
Check if a token matches any revocation events
Check if a token is expired, current time is
calculated in UTC
Token Validation Workflow
UUID – Keystone Token Revocation Workflow
Revoke by Audit ID
Revoke Token with:
DELETE v3/auth/tokens• X-Subject-Token• X-Auth-Token Before revoking
a token, validate it based on Token Validation Workflow
ValidateX-Subject-Token
Audit ID?
Revoke by Token Expiry
Create Revoke Event with:Audit ID
Revoke AtIssued Before
Prune Expired Events
Set valid to False
Yes
No
Filter existing revocation events based on Revoke At
Sample Revocation Event:{ "audit_id": "HVvI0d-cTD21yatAfQc4IQ", "issued_before”: "2015-10-24T21:20:45.000000Z" },
Token Revocation Workflow
Create Revoke Event with:User ID
Project IDRevoke At
Issued BeforeToken Expiry
TokenKVS
UUID Across Multiple Data Centers
UsersGroups
DomainsProjects
RolesCatalog
Assignments
UsersGroups
DomainsProjectsRolesCatalogAssignments
MySQL Replication(Database is always in sync)
LDAP Replication(Directory Tree is always in sync)Tokens
KVS
UUID Tokens
TokensKVS
UUID Tokens
Keystone
UUID - Multiple Data Centers
NovaKeystone Middleware
Keystone
NovaKeystone Middleware
US-EASTUS-WEST
Request Token
UUID Token
nova boot
with UUID
Token Validation
VM Instance
nova boot with UUID
Token Validation
Token Not Found
Token Found Token Not Found
Deep Dive into Keystone Tokens and Lessons Learned
Pros and cons
• Pros
– Simplest and Smallest Token Format
– Recommended for Simple OpenStack Deployment
• Cons
– Persistent Token Format
– Token validation can only be done by Identity service
– Not feasible for multiple OpenStack deployments
Deep Dive into Keystone Tokens and Lessons Learned
PKI/PKIZ
Deep Dive into Keystone Tokens and Lessons Learned
PKI
• Cryptographically Encrypted
Signed Document using X509
Standards
• CMS
• Converted to custom URL-
Safe format
• Compressed PKI
• Prefixed with “PKIZ”
PKIZ
Deep Dive into Keystone Tokens and Lessons Learned
PKI/PKIZ Configuration - Certificates
• Signing Key (signing_key.pem) :
• Generate private key in PEM format
• Signing Certificate (signing_cert.pem) :
• Generate CSR using Signing Key
• Submit CSR to CA
• Receive Certificate from CA
• Certificate Authority Certificate (ca.pem)
Deep Dive into Keystone Tokens and Lessons Learned
PKI/PKIZ Configuration
• Configuration in keystone.conf :
[token]
provider = keystone.token.providers.[pki|pkiz].Provider
[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
PKI/PKIZ – Token Generation Workflow
Validate Identity, Resource, and Assignment
Request Token with:• User Name• Password• Project Name
Token Generation Workflow
Create JSON Token Payload
Sign JSON Payload with Signing Key and Signing Certificateopenssl cms –sign –outform PEM
Convert it to UTF-8
Convert CMS Signed Token in PEM format to custom URL Safe format:
• “/” replaced with “-”• Deleted: “\n”, “----BEGIN
CMS----”,“----END CMS----”
Compress using zlib
Convert it to UTF-8
Base64 URL Safe
Append Prefix PKIZ
PKI PKIZ
Store Token into SQL/KVS
Deep Dive into Keystone Tokens and Lessons Learned
Sample PKI Token in SQL Backend
id: b460fec2efcd0d803e2baf48d3bcd72bexpires: 2015-10-09 20:07:36extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-09T20:07:36.656431Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["8dh07HudSh6rHoU1G9bs-Q"], "issued_at": "2015-10-09T19:07:36.656460Z"}}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "key": "MIIDiwYJKoZIhvcNAQcCoIIDfDCCA3gCAQExDTALBglghkgBZQMEAgEwggHZBgkqhkiG9w0BBwGgggHKBIIBxnsidG9rZW4iOnsibWV0aG9kcyI6WyJwYXNzd29yZCJdLCJyb2xlcyI6W3siaWQiOiIxNjg4NDQ5Y2YxZGY0NDgzOWIxMGE0MWUzZDliMDlkZCIsIm5hbWUiOiJhZG1pbiJ9XSwiZXhwaXJlc19hdCI6IjIwMTUtMTAtMDlUMjA6MDc6MzYuNjU2NDMxWiIsInByb2plY3QiOnsiZG9tYWluIjp7ImlkIjoiZGVmYXVsdCIsIm5hbWUiOiJEZWZhdWx0In0sImlkIjoiNDIzZDQ1Y2RkZWM4NDE3MGJlMzY1ZTBiMzFhMWIxNWYiLCJuYW1lIjo…", "token_version": "v3.0", "tenant": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "metadata": {"roles": ["1688449cf1df44839b10a41e3d9b09dd"]}}valid: 1trust_id: NULLuser_id: 1334f3ed7eb2483b91b8192ba043b580
Deep Dive into Keystone Tokens and Lessons Learned
Sample PKIZ Token in SQL Backend
id: c48321ac51a903b07c264ac3e80809c6expires: 2015-10-12 18:45:23extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-12T18:45:23.806229Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["kKmQzTuxSnCN9vo3bzxErw"], "issued_at": "2015-10-12T17:45:23.806257Z"}}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "key": "PKIZ_eJxtlMtyqzgQhvc8xexTqcPFdsLiLCQEWCSCgAGBdgZscbVxDOHy9CMnc6mpGlWpSmqpW39_Uuv5WTRo2tj9wyCHxiN35dqjqybi9eb6DuE7ZLd7_WxtAd6MtR1wP7PT5PxJE2F7U53WYH5D5qZbc53OSkeWPoo3hdrU7VQwhe5JBReo71GWv72WT2vLPRk62_XuDmt_T9sZku-veT-xPfUaEk…", "token_version": "v3.0", "tenant": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "metadata": {"roles": ["1688449cf1df44839b10a41e3d9b09dd"]}}valid: 1trust_id: NULLuser_id: 1334f3ed7eb2483b91b8192ba043b580
PKI/PKIZ – Token Validation Workflow
Parse Token and Retrieve Metadata
Validate Token with:
GET v3/auth/tokens• X-Subject-Token• X-Auth-Token
Retrieves Token reference from token backend KVS/SQL
Read cached token reference and parse:• User ID• Project ID• Audit ID• Token Expiry
TokenKVS
Valid?
Current Time < Expiry Time
Token Not Found
Token Not Found
Is Revoked?
Token Not Found
HTTP/1.1 200 OK
Yes
No
No
No
Yes
Yes
Check if a token matches any revocation events
Check if a token is expired, current time is calculated in UTC
Token Validation Workflow
Unique ID of X-Subject-Token
Hash PKI Token with the pre-configured hashing algorithm
SAME AS
UUID
PKI/PKIZ – Keystone Token Revocation Workflow
Revoke by Audit ID
Revoke Token with:
DELETE v3/auth/tokens• X-Subject-Token• X-Auth-Token Before revoking
a token, validate it based on Token Validation Workflow
ValidateX-Subject-Token
Audit ID?
Revoke by Token Expiry
Create Revoke Event with:Audit ID
Revoke AtIssued Before
Prune Expired Events
Set valid to False
Yes
No
Filter existing revocation events based on Revoke At
Sample Revocation Event:{ "audit_id": "HVvI0d-cTD21yatAfQc4IQ", "issued_before”: "2015-10-24T21:20:45.000000Z" },
Token Revocation Workflow
Create Revoke Event with:User ID
Project IDRevoke At
Issued BeforeToken Expiry
SAME AS
UUIDTokenKVS
PKI/PKIZ - Across Multiple Data Centers
UsersGroups
DomainsProjects
RolesCatalog
Assignments
UsersGroups
DomainsProjectsRolesCatalogAssignments
MySQL Replication(Database is always in sync)
LDAP Replication(Directory Tree is always in sync)Tokens
KVS
PKI/PKIZTokens
TokensKVS
PKI/PKIZTokens
Keystone
PKI/PKIZ - Multiple Data Centers
NovaKeystone Middleware
Keystone
NovaKeystone Middleware
US-EASTUS-WEST
Request Token
PKI/PKIZ Token
nova boot with
PKI/PKIZ
Token Validation
VM Instancenova boot with
PKI/PKIZ
Token Validation
VM Instance
Deep Dive into Keystone Tokens and Lessons Learned
Pros and Cons
PKI
• Pros
– Token validation without a request to Keystone
• Cons
– Larger than standard HTTP Header Size
– Complex configuration
– base64 –d <pki_token
– Not truly feasible for multiple OpenStack
Deployments
PKIZ
• Pros
– Token validation without a request to
Keystone
• Cons
– Still Larger than standard HTTP Header
Size
– Similar to PKI
Deep Dive into Keystone Tokens and Lessons Learned
FERNET
Deep Dive into Keystone Tokens and Lessons Learned
Fernet
• Cryptographic Authentication Method – Fernet
• Symmetric Key Encryption
• Fernet Keys stored in /etc/keystone/fernet-keys/
– Encrypted with Primary Fernet Key
– Decrypted with a list of Fernet Keys
Deep Dive into Keystone Tokens and Lessons Learned
• Configuration in keystone.conf :
[token]
provider = keystone.token.providers.fernet.Provider
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
max_active_keys = <number of keys> # default is 3
Fernet Configuration
Deep Dive into Keystone Tokens and Lessons Learned
Fernet Keys
• Fernet Key File - 256 bits83b4sCF0Q4pb3aNWJYtSdtdaH8PMA_5dlN7OswXKbvE=
\xf3v\xf8\xb0!tC\x8a[\xdd\xa3V%\x8bRv\xd7Z\x1f\xc3\xcc\x03\xfe]\x94\xde\xce\xb3\x05\xcan\xf1SHA256 HMAC Signing Key
(128 bits)AES Encrypting Key
(128 bits)
Deep Dive into Keystone Tokens and Lessons Learned
Fernet Keys• Fernet Key File Name - Integers starting from 0
• ls /etc/keystone/fernet-keys => 0 1 2 3 4
• Type 1: Primary Key
– Encrypt and Decrypt
– Key file named with the highest index
• Type 2: Secondary Key
– Only Decrypt
– Lowest Index < Secondary Key File Name < Highest Index
• Type 3: Staged Key
– Decrypt and Next In Line to become Primary Key
– Key file named with lowest index (of 0)
Fernet Key Rotation
0 1 Primary KeyStaged Key No Secondary Key
2 Primary Key0Staged Key 1Secondary Key
3 Primary Key21Secondary Key
0Staged Key
Secondary Key
Rotate
Rotate
Fernet – Token Generation Workflow
Token Generation Workflow
HMACFernet Token Version Current Timestamp IV Cipher Text
Token Payload:VersionUser ID
MethodsProject ID
Expiry TimeAudit ID
Padding
Encrypted using Encrypting Key
Signed using Signing Key
Deep Dive into Keystone Tokens and Lessons Learned
Sample Fernet Token in SQL Backend
?gAAAAABWLUzy0dxSNo2--K-3trDutnX7LpUpv3us0crQIl8BDHLLd3lR3F243VwnYpNJHIaUiPEE2roYJJNA-SwBe1swDcr6MYaFR1t9ZYcYF4GRqDm3N9_1EGgXgICbzE_GuUVidG4gky0Cv8f1nwD7XM26NRh59VEnt2iVTAxlnvAICJDeK5k
Fernet – Keystone Token Validation Workflow
Determine the Version from the Token Payload
Validate Token with:
GET v3/auth/tokens• X-Subject-Token• X-Auth-Token Re-inflate token
with “=” and return token with correct padding
Version: Fixed Versioning by Keystone:• Unscoped Payload : 0• Domain Scoped Payload : 1• Project Scoped Payload : 2
Restore Padding
Is Revoked?
Token Not Found
HTTP/1.1 200 OK
No
No
Yes
Yes
Check if a token matches any revocation events
Check if a token is expired, current time is
calculated in UTC
Token Validation Workflow
Decrypt using Fernet Keys to retrieve Token Payload
Disassemble payload to determine validation fields
For Project Scoped Token:• User ID Project
ID• Methods Token
Expiry• Audit ID
Current Time < Expiry Time
Token Not FoundNo
Fernet – Keystone Token Revocation Workflow
Revoke by Audit ID
Revoke Token with:
DELETE v3/auth/tokens• X-Subject-Token• X-Auth-Token Before revoking
a token, validate it based on Token Validation Workflow
ValidateX-Subject-Token
Audit ID?
Revoke by Token Expiry
Create Revoke Event with:Audit ID
Revoke AtIssued Before
Prune Expired Events
Set valid to False
Yes
No
Filter existing revocation events based on Revoke At
Sample Revocation Event:{ "audit_id": "HVvI0d-cTD21yatAfQc4IQ", "issued_before”: "2015-10-24T21:20:45.000000Z" },
Token Revocation Workflow
Create Revoke Event with:User ID
Project IDRevoke At
Issued BeforeToken Expiry
SAME AS
UUID/PKI/PKIZTokenKVS
Fernet - Across Multiple Data Centers
UsersGroups
DomainsProjects
RolesCatalog
Assignments
UsersGroups
DomainsProjectsRolesCatalogAssignments
MySQL Replication(Database is always in sync)
LDAP Replication(Directory Tree is always in sync)
Keystone
Fernet - Multiple Data Centers
NovaKeystone Middleware
Keystone
NovaKeystone Middleware
US-EASTUS-WEST
Request Token
Fernet Token
nova boot
with Fernet
Token Validation
VM Instance
nova boot with Fernet
Token Validation
VM Instance
Validate Fernet Token Validate Fernet Token
Deep Dive into Keystone Tokens and Lessons Learned
Pros and cons
• Pros
– No persistence
– Reasonable Token Size
– Multiple Data Center
• Cons
– Token validation impacted by the number of revocation events
Deep Dive into Keystone Tokens and Lessons Learned
Fernet Token Validation
0100
200300
400500
600700
800900
10001100
12001300
14001500
20003000
40000
100
200
300
400
500
600
11.1746.406
83.654124.974
163.529
234.398
376.604
510.058
Revocation Events Impact on Validation Time
Response Time (ms)
Revocation Events
Tim
e (m
s)
Deep Dive into Keystone Tokens and Lessons Learned
Fernet Token Validation
020
040
060
080
010
0012
0014
0020
0040
000
20
40
60
80
10089.46
21.5511.95
8 5.77 1.96
Revocation Events Impact on Validation Requests
Token Validation Requests
Revocation Events
Val
idat
ions
Per
Sec
ond
Deep Dive into Keystone Tokens and Lessons Learned
What token format should we configure in our OpenStack Deployment?
Fernet for Multiple OpenStack Deployments
with minimal Revocation Events Depends
Deep Dive into Keystone Tokens and Lessons Learned
HORIZON AND TOKENS
Deep Dive into Keystone Tokens and Lessons Learned
How horizon uses tokens• Tokens for each logged in user• Unscoped token and project scoped token• Token reuse
• Reduced transaction load on Keystone• Stored in the session
• Configurable token storage methods• Local memory cache• Cookie backend• Memcache• Database• Cached Database
Deep Dive into Keystone Tokens and Lessons Learned
Cookie backend
• Currently the devstack default• Token stored in browser cookie
• Secure cookies in production, use https• CSRF_COOKIE_SECURE = True• SESSION_COOKIE_SECURE = True• http://docs.openstack.org/developer/horizon/topics/settings.html• http://docs.openstack.org/security-guide/dashboard/cookies.html
• Highly scalable• The dreaded boot back to login
Deep Dive into Keystone Tokens and Lessons Learned
Cookie backend
• The dreaded boot back to login
• Now sign in…
Deep Dive into Keystone Tokens and Lessons Learned
Cookie backend
• And you see…
• Cookie overflow!
Deep Dive into Keystone Tokens and Lessons Learned
memcache backend
• Allows storage of larger token sizes• Tokens stored on server side• Requires memcached• Can be used with backing DB
• http://docs.openstack.org/developer/horizon/topics/deployment.html
Deep Dive into Keystone Tokens and Lessons Learned
Token hashing
• Hashed in Django OpenStack Auth (DOA)• Keeps stored token data small• Currently not working for PKI tokens• New config in Liberty to disable
• OPENSTACK_TOKEN_HASH_ENABLED• PKI - Will increase memcache storage requirement
Deep Dive into Keystone Tokens and Lessons Learned
Multiregion and tokens• Service regions vs. Authentication regions
• Service regions in Keystone catalog• Auth regions specified in AVAILABLE_REGIONS
• UUID, PKI, and PKIZ Tokens don’t work across auth regions• Token replication is infeasible
• But Fernet tokens work between Authentication regions!
Service Region Authentication Region
Deep Dive into Keystone Tokens and Lessons Learned
Horizon and Fernet
• Yes, Fernet tokens work with Horizon• Liberty and beyond – No patches necessary• Kilo – Needs a patch for DOA
• https://review.openstack.org/#/c/169994/
Deep Dive into Keystone Tokens and Lessons Learned
V3 domains
Domain Scoped Token Project Scoped Token
"auth": { "identity": { }, “scope”: { ”domain": { “name”: “Default” } }}
"auth": { "identity": { }, “scope”: { “project”: { ”domain": { “name”: “Default” }, “name”: “ProjectA” } }}
• Extra token for Horizon
Deep Dive into Keystone Tokens and Lessons Learned
V3 domains
• Requires changes in Django OpenStack Auth and Horizon• Planned for Mitaka• Info on usage (a bit out of date):
• http://www.symantec.com/connect/blogs/how-use-horizon-keystone-v3• Domains patches:
• https://review.openstack.org/#/c/148082/• https://review.openstack.org/#/c/141153/• https://review.openstack.org/#/c/196328/
Deep Dive into Keystone Tokens and Lessons Learned
Will fernet tokens solve all our problems?
• Smaller token size• No persistence for tokens• Seamless authentication across regions• Performance issues with token revocation
Thank You !!!
Questions ?
Deep Dive into Keystone Tokens and Lessons Learned
References
• Token: https://clubpenguincheatscitya4.files.wordpress.com/2011/08/1_token.jpg
• Key to Cloud: https
://www.hc1.com/wp-content/uploads/2013/10/14916002_cloud_computing_and_storage_security_concept_blue_glossy_cloud_ico
n_with_with_golden_key_in_keyhole_.
jpg
• User Icon: http://findicons.com/files/icons/1075/scrap/300/user_2.png
• Password: http://icons.iconarchive.com/icons/sbstnblnd/plateau/512/Apps-password-icon.png
• UUID: https://plugins.qgis.org/static/cache/21/c0/21c0d3fedb5bf42ff8a6a11712595124.png
• PKI: http://www.zaheerspeaks.com/wp-content/uploads/2009/10/PKI-Certificate.gif
• PKIZ: http://i571.photobucket.com/albums/ss153/rijal_abror/pun170-winzip-file-compress-icon59.gif
• Identity: https://www.innopay.com/assets/Uploads/icon-digitalidentity-232x232.png
Deep Dive into Keystone Tokens and Lessons Learned
EXTRA
Deep Dive into Keystone Tokens and Lessons Learned
What is an Openstack Token?
Key to OpenStack Cloud
How can I generate a token?
Deep Dive into Keystone Tokens and Lessons Learned
Keystone
curl -s POST https://keystone.com/v3/auth/tokens
"auth": { "identity": { "methods": [ "password" ], "password": { "user": { ”domain": { ”name": ”MyDomain.com” }, ”name": ”PritiDesai", "password": "secretsecret” }
How can I generate a token?
Deep Dive into Keystone Tokens and Lessons Learned
Keystone
curl -s POST https://keystone.com/v3/auth/tokens
"auth": { "identity": { "methods": [ ”token" ], ”token": { ”id": ”e8079ab…” } }
Deep Dive into Keystone Tokens and Lessons Learned
Token generated using password
Header:X-Subject-Token: a740dcd6f3fc404aaaf556b9cbd2f994
Body:{ "token": { "methods": [ "password" ], "expires_at": "2015-10-05T20:25:03.180741Z", "extras": {}, "user": { "domain": { "id": "default", "name": "Default" }, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": ”smith" }, "audit_ids": [ "NnYd94BERb-y1GQulr54tg" ], "issued_at": "2015-10-05T19:25:03.180758Z" }}
"auth": { "identity": { "methods": [ "password" ], "password": { "user": { ”domain": { ”name": ”Default” }, ”name": ”Smith", "password": "secretsecret” }
Deep Dive into Keystone Tokens and Lessons Learned
Token generated using token
Header:X-Subject-Token: 3fb7b3b0a0a8489882f07fdb9cd2a990
Body:{ "token": { "issued_at": "2015-10-05T19:40:38.943250Z", "audit_ids": [ "4vNgmP5cQk6sMpPiw7EnCg", "HFwMKdDrSCOq-MAtkXKTlw" ], "user": { "name": ”smith", "id": "1334f3ed7eb2483b91b8192ba043b580", "domain": { "name": "Default", "id": "default" } }, "extras": {}, "expires_at": "2015-10-05T20:31:26.727283Z", "methods": [ "token", "password" ]
"auth": { "identity": { "methods": [ ”token" ], ”token": { “id”: “a7409b” } }}
Identity Token Path
User OpenStack Service
Step 1: Obtain unscoped token with credentialsPOST v3/auth/tokens
Keystone
Step 2: Discover projects you have access toGET v3/users/<user_id>/projects
Step 3: Obtain project scoped token either with your credentials or unscoped token from step 1.
Step 4: Invoke the target service by sending requests to endpoints in token from step 3
Step 5: Validate roles and access metadata in token with Keystone service or Keystone Middleware
Step 6: Serve APIrequest
Step 7: Return response
Deep Dive into Keystone Tokens and Lessons Learned
Token Creation
UUID PKI PKIZ Fernet0
102030405060708090
Time Per Request
Time Per Request
UUID PKI PKIZ Fernet02468
101214161820
Requests Per Sec
Requests Per Sec
Deep Dive into Keystone Tokens and Lessons Learned
Token Validation
UUID PKI PKIZ Fernet0
2
4
6
8
10
12
14
Time Per Request
Time Per Request
UUID PKI PKIZ Fernet0
102030405060708090
100
Requests Per Sec
Requests Per Sec
Deep Dive into Keystone Tokens and Lessons Learned
Configurable token hashing
https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/user.py