oct 2012 state of project keystone

Tuesday, October 16, 12

Project Technical LeadJoe Heck

State of the Project: Keystone OpenStack Identity


me...

@heckj

grew up here

choose to livehere

Joe Heck


Outline

‣ Why keystone‣ What is keystone‣ Basic concepts‣ High level architecture‣ Keystone history review‣ Grizzly plans


Why Keystone

‣ the first “openstack common”‣ common internal API expressing relevant identity

information to OpenStack projects‣ need for knowledge of OpenStack service

endpoints


What is Keystone

‣ single source of authentication, authorization‣ same account and credentials for starting a VM instance

and accessing a container in object storage

‣ enforcement of authorization policies at the service level, not centralized

‣ means of expressing API endpoints ‣ basic service catalog


What is Keystone - core internal services

‣ identity‣ policy‣ token ‣ catalog


Basic Concepts - Identity

‣ Tenant == Project‣ basic unit of ownership

‣ collection of resources (vm, volume, container, etc)

‣ User‣ individual or service

‣ identified by basic credentials

‣ Role‣ name relationship between a user and tenant


Basic Concepts - Policy

‣ Policy file - private/internal in Essex‣ Nova, Glance, and Keystone

‣ extending to Cinder, Quantum

‣ Simple rule based mechanism for expressing authorization

‣ Enforcement at the services


Basic Concepts - Token

‣ Token‣ arbitrary string to be used in HTTP headers

‣ identity associated with token retrievable by other OpenStack services

‣ token

‣ user, tenant, roles

‣ catalog


Basic Concepts - Catalog

‣ service --> endpoint‣ OpenStack Services‣ identity

‣ compute

‣ volume

‣ image

‣ ec2

‣ object-store


‣ {u'access': {u'serviceCatalog': [{u'endpoints': [{u'adminURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'internalURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'publicURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Volume Service', u'type': u'volume'}, {u'endpoints': [{u'adminURL': u'http://image:9292/v1', u'internalURL': u'http://image:9292/v1', u'publicURL': u'http://image:9292/v1', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Image Service', u'type': u'image'}, ... ... ... {u'endpoints': [{u'adminURL': u'http://ident:35357/v2.0', u'internalURL': u'http://ident:5000/v2.0', u'publicURL': u'http://ident:5000/v2.0', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Identity Service', u'type': u'identity'}], u'token': {u'expires': u'2012-04-19T00:06:53Z', u'id': u'87d45c4c6e9b445997da68f399b49704', u'tenant': {u'description': None, u'enabled': True, u'id': u'c566cb3adfab4f4a859250f4f7d4f56c', u'name': u'demo'}}, u'user': {u'id': u'30e5d97149cf4621b9dbeb7681917aed', u'name': u'frank', u'roles': [{u'id': u'089c23c4f82f4c9d8882f6919dd51103', u'name': u'Admin'}, {u'id': u'da104b278a2b463e89dd5e072740702e', u'name': u'Member'}], u'roles_links': [], u'username': u'frank'}}}

TOKEN: 87d45c4c6e9b445997da68f399b49704


http://proxy:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c'

http://proxy:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c'

http://proxy.env3.mview.int.nebula.com:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c'

http://proxy.env3.mview.int.nebula.com:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c'

http://proxy:9292/v1'




http://proxy.env3.mview.int.nebula.com:9292/v1'

http://proxy.env3.mview.int.nebula.com:9292/v1'

http://proxy:35357/v2.0'




http://proxy.env3.mview.int.nebula.com:5000/v2.0'

http://proxy.env3.mview.int.nebula.com:5000/v2.0'

High Level Architecture

‣ Typical OpenStack Pattern‣ WSGI Application, configured with Paste

‣ URI routes mapped to configurable backends

‣ Configurable backends per internal service:

‣ SQL

‣ LDAP

‣ key-value store

‣ ...yours...


High Level Architecture

‣ operational facade to existing systems‣ identity

‣ token

‣ policy

‣ catalog


Supported Backends

‣ Identity‣ SQL, LDAP, Active Directory, PAM, KeyValue

‣ Catalog

‣ SQL, Template, KeyValue

‣ Token

‣ SQL, Memcache, KeyValue

‣ Policy

‣ Rules


Keystone history : Cactus release and earlier

‣ protocols and mechanisms originally disparate in compute and object storage‣ called “auth v1”

‣ separate accounts in nova and swift

‣ glance using both, highlighted the issue


Keystone history : Diablo

‣ Aggressively prototyped‣ OpenStack internal token-based HTTP API

‣ administrative API, separate ports

‣ lots of changes, right up through the release


Keystone history : Essex

‣ Consolidation‣ re-implemented to simplify and refactor architecture

‣ architecture shift to focus on independent drivers

‣ migrated to administrative CRUD operations

‣ maintained 100% API compatibility


Keystone history : Folsom

‣ PKI and prep for Grizzly+‣ Enabled PKI based tokens

‣ kept everything rock solid

‣ maintained 100% API compatibility

‣ Resolved bugs, dealt with security issues as they were uncovered

‣ lessons learned led to a V3 identity API

‣ started implementation on V3 API


Keystone future : Grizzly

‣ Implement V3 API‣ auth changes effect and impact every project

‣ consolidate code into Oslo (openstack-common)

‣ help drive consolidated policy and roles changes through all projects

‣ Consolidate policy files‣ focus on documentation, example configurations


Keystone future : Grizzly

‣ Extend the authorization mechanisms‣ support delegation/impersonation

‣ ActiveDirectory support

‣ externalizing authentication

‣ Moving default token to PKI‣ CLI and common authentication


Keystone future : Grizzly (learning)

‣ Federation‣ Discussion of use cases and setup

‣ Learn what’s needed to fully support trust delegation


fini

Joe Heck

@[email protected]


oct 2012 state of project keystone

Technology

keystone future

basic concepts policy

service level

v3 identity api

keyvalue token sql

openstack identity state

default token

token retrievable