oct 2012 state of project keystone
DESCRIPTION
OpenStack Design Summit - Grizzly: State of the Project - KeystoneTRANSCRIPT
Tuesday, October 16, 12
Project Technical LeadJoe Heck
State of the Project: Keystone OpenStack Identity
Tuesday, October 16, 12
me...
@heckj
grew up here
choose to livehere
Joe Heck
Tuesday, October 16, 12
Outline
‣ Why keystone‣ What is keystone‣ Basic concepts‣ High level architecture‣ Keystone history review‣ Grizzly plans
Tuesday, October 16, 12
Why Keystone
‣ the first “openstack common”‣ common internal API expressing relevant identity
information to OpenStack projects‣ need for knowledge of OpenStack service
endpoints
Tuesday, October 16, 12
What is Keystone
‣ single source of authentication, authorization‣ same account and credentials for starting a VM instance
and accessing a container in object storage
‣ enforcement of authorization policies at the service level, not centralized
‣ means of expressing API endpoints ‣ basic service catalog
Tuesday, October 16, 12
What is Keystone - core internal services
‣ identity‣ policy‣ token ‣ catalog
Tuesday, October 16, 12
Basic Concepts - Identity
‣ Tenant == Project‣ basic unit of ownership
‣ collection of resources (vm, volume, container, etc)
‣ User‣ individual or service
‣ identified by basic credentials
‣ Role‣ name relationship between a user and tenant
Tuesday, October 16, 12
Basic Concepts - Policy
‣ Policy file - private/internal in Essex‣ Nova, Glance, and Keystone
‣ extending to Cinder, Quantum
‣ Simple rule based mechanism for expressing authorization
‣ Enforcement at the services
Tuesday, October 16, 12
Basic Concepts - Token
‣ Token‣ arbitrary string to be used in HTTP headers
‣ identity associated with token retrievable by other OpenStack services
‣ token
‣ user, tenant, roles
‣ catalog
Tuesday, October 16, 12
Basic Concepts - Catalog
‣ service --> endpoint‣ OpenStack Services‣ identity
‣ compute
‣ volume
‣ image
‣ ec2
‣ object-store
Tuesday, October 16, 12
‣ {u'access': {u'serviceCatalog': [{u'endpoints': [{u'adminURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'internalURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'publicURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Volume Service', u'type': u'volume'}, {u'endpoints': [{u'adminURL': u'http://image:9292/v1', u'internalURL': u'http://image:9292/v1', u'publicURL': u'http://image:9292/v1', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Image Service', u'type': u'image'}, ... ... ... {u'endpoints': [{u'adminURL': u'http://ident:35357/v2.0', u'internalURL': u'http://ident:5000/v2.0', u'publicURL': u'http://ident:5000/v2.0', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Identity Service', u'type': u'identity'}], u'token': {u'expires': u'2012-04-19T00:06:53Z', u'id': u'87d45c4c6e9b445997da68f399b49704', u'tenant': {u'description': None, u'enabled': True, u'id': u'c566cb3adfab4f4a859250f4f7d4f56c', u'name': u'demo'}}, u'user': {u'id': u'30e5d97149cf4621b9dbeb7681917aed', u'name': u'frank', u'roles': [{u'id': u'089c23c4f82f4c9d8882f6919dd51103', u'name': u'Admin'}, {u'id': u'da104b278a2b463e89dd5e072740702e', u'name': u'Member'}], u'roles_links': [], u'username': u'frank'}}}
TOKEN: 87d45c4c6e9b445997da68f399b49704
Tuesday, October 16, 12
High Level Architecture
‣ Typical OpenStack Pattern‣ WSGI Application, configured with Paste
‣ URI routes mapped to configurable backends
‣ Configurable backends per internal service:
‣ SQL
‣ LDAP
‣ key-value store
‣ ...yours...
Tuesday, October 16, 12
High Level Architecture
‣ operational facade to existing systems‣ identity
‣ token
‣ policy
‣ catalog
Tuesday, October 16, 12
Supported Backends
‣ Identity‣ SQL, LDAP, Active Directory, PAM, KeyValue
‣ Catalog
‣ SQL, Template, KeyValue
‣ Token
‣ SQL, Memcache, KeyValue
‣ Policy
‣ Rules
Tuesday, October 16, 12
Keystone history : Cactus release and earlier
‣ protocols and mechanisms originally disparate in compute and object storage‣ called “auth v1”
‣ separate accounts in nova and swift
‣ glance using both, highlighted the issue
Tuesday, October 16, 12
Keystone history : Diablo
‣ Aggressively prototyped‣ OpenStack internal token-based HTTP API
‣ administrative API, separate ports
‣ lots of changes, right up through the release
Tuesday, October 16, 12
Keystone history : Essex
‣ Consolidation‣ re-implemented to simplify and refactor architecture
‣ architecture shift to focus on independent drivers
‣ migrated to administrative CRUD operations
‣ maintained 100% API compatibility
Tuesday, October 16, 12
Keystone history : Folsom
‣ PKI and prep for Grizzly+‣ Enabled PKI based tokens
‣ kept everything rock solid
‣ maintained 100% API compatibility
‣ Resolved bugs, dealt with security issues as they were uncovered
‣ lessons learned led to a V3 identity API
‣ started implementation on V3 API
Tuesday, October 16, 12
Keystone future : Grizzly
‣ Implement V3 API‣ auth changes effect and impact every project
‣ consolidate code into Oslo (openstack-common)
‣ help drive consolidated policy and roles changes through all projects
‣ Consolidate policy files‣ focus on documentation, example configurations
Tuesday, October 16, 12
Keystone future : Grizzly
‣ Extend the authorization mechanisms‣ support delegation/impersonation
‣ ActiveDirectory support
‣ externalizing authentication
‣ Moving default token to PKI‣ CLI and common authentication
Tuesday, October 16, 12
Keystone future : Grizzly (learning)
‣ Federation‣ Discussion of use cases and setup
‣ Learn what’s needed to fully support trust delegation
Tuesday, October 16, 12