oct 2012 state of project keystone
DESCRIPTION
OpenStack Design Summit - Grizzly: State of the Project - KeystoneTRANSCRIPT
![Page 1: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/1.jpg)
Tuesday, October 16, 12
![Page 2: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/2.jpg)
Project Technical LeadJoe Heck
State of the Project: Keystone OpenStack Identity
Tuesday, October 16, 12
![Page 3: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/3.jpg)
me...
@heckj
grew up here
choose to livehere
Joe Heck
Tuesday, October 16, 12
![Page 4: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/4.jpg)
Outline
‣ Why keystone‣ What is keystone‣ Basic concepts‣ High level architecture‣ Keystone history review‣ Grizzly plans
Tuesday, October 16, 12
![Page 5: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/5.jpg)
Why Keystone
‣ the first “openstack common”‣ common internal API expressing relevant identity
information to OpenStack projects‣ need for knowledge of OpenStack service
endpoints
Tuesday, October 16, 12
![Page 6: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/6.jpg)
What is Keystone
‣ single source of authentication, authorization‣ same account and credentials for starting a VM instance
and accessing a container in object storage
‣ enforcement of authorization policies at the service level, not centralized
‣ means of expressing API endpoints ‣ basic service catalog
Tuesday, October 16, 12
![Page 7: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/7.jpg)
What is Keystone - core internal services
‣ identity‣ policy‣ token ‣ catalog
Tuesday, October 16, 12
![Page 8: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/8.jpg)
Basic Concepts - Identity
‣ Tenant == Project‣ basic unit of ownership
‣ collection of resources (vm, volume, container, etc)
‣ User‣ individual or service
‣ identified by basic credentials
‣ Role‣ name relationship between a user and tenant
Tuesday, October 16, 12
![Page 9: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/9.jpg)
Basic Concepts - Policy
‣ Policy file - private/internal in Essex‣ Nova, Glance, and Keystone
‣ extending to Cinder, Quantum
‣ Simple rule based mechanism for expressing authorization
‣ Enforcement at the services
Tuesday, October 16, 12
![Page 10: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/10.jpg)
Basic Concepts - Token
‣ Token‣ arbitrary string to be used in HTTP headers
‣ identity associated with token retrievable by other OpenStack services
‣ token
‣ user, tenant, roles
‣ catalog
Tuesday, October 16, 12
![Page 11: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/11.jpg)
Basic Concepts - Catalog
‣ service --> endpoint‣ OpenStack Services‣ identity
‣ compute
‣ volume
‣ image
‣ ec2
‣ object-store
Tuesday, October 16, 12
![Page 12: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/12.jpg)
‣ {u'access': {u'serviceCatalog': [{u'endpoints': [{u'adminURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'internalURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'publicURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Volume Service', u'type': u'volume'}, {u'endpoints': [{u'adminURL': u'http://image:9292/v1', u'internalURL': u'http://image:9292/v1', u'publicURL': u'http://image:9292/v1', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Image Service', u'type': u'image'}, ... ... ... {u'endpoints': [{u'adminURL': u'http://ident:35357/v2.0', u'internalURL': u'http://ident:5000/v2.0', u'publicURL': u'http://ident:5000/v2.0', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Identity Service', u'type': u'identity'}], u'token': {u'expires': u'2012-04-19T00:06:53Z', u'id': u'87d45c4c6e9b445997da68f399b49704', u'tenant': {u'description': None, u'enabled': True, u'id': u'c566cb3adfab4f4a859250f4f7d4f56c', u'name': u'demo'}}, u'user': {u'id': u'30e5d97149cf4621b9dbeb7681917aed', u'name': u'frank', u'roles': [{u'id': u'089c23c4f82f4c9d8882f6919dd51103', u'name': u'Admin'}, {u'id': u'da104b278a2b463e89dd5e072740702e', u'name': u'Member'}], u'roles_links': [], u'username': u'frank'}}}
TOKEN: 87d45c4c6e9b445997da68f399b49704
Tuesday, October 16, 12
![Page 13: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/13.jpg)
High Level Architecture
‣ Typical OpenStack Pattern‣ WSGI Application, configured with Paste
‣ URI routes mapped to configurable backends
‣ Configurable backends per internal service:
‣ SQL
‣ LDAP
‣ key-value store
‣ ...yours...
Tuesday, October 16, 12
![Page 14: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/14.jpg)
High Level Architecture
‣ operational facade to existing systems‣ identity
‣ token
‣ policy
‣ catalog
Tuesday, October 16, 12
![Page 15: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/15.jpg)
Supported Backends
‣ Identity‣ SQL, LDAP, Active Directory, PAM, KeyValue
‣ Catalog
‣ SQL, Template, KeyValue
‣ Token
‣ SQL, Memcache, KeyValue
‣ Policy
‣ Rules
Tuesday, October 16, 12
![Page 16: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/16.jpg)
Keystone history : Cactus release and earlier
‣ protocols and mechanisms originally disparate in compute and object storage‣ called “auth v1”
‣ separate accounts in nova and swift
‣ glance using both, highlighted the issue
Tuesday, October 16, 12
![Page 17: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/17.jpg)
Keystone history : Diablo
‣ Aggressively prototyped‣ OpenStack internal token-based HTTP API
‣ administrative API, separate ports
‣ lots of changes, right up through the release
Tuesday, October 16, 12
![Page 18: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/18.jpg)
Keystone history : Essex
‣ Consolidation‣ re-implemented to simplify and refactor architecture
‣ architecture shift to focus on independent drivers
‣ migrated to administrative CRUD operations
‣ maintained 100% API compatibility
Tuesday, October 16, 12
![Page 19: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/19.jpg)
Keystone history : Folsom
‣ PKI and prep for Grizzly+‣ Enabled PKI based tokens
‣ kept everything rock solid
‣ maintained 100% API compatibility
‣ Resolved bugs, dealt with security issues as they were uncovered
‣ lessons learned led to a V3 identity API
‣ started implementation on V3 API
Tuesday, October 16, 12
![Page 20: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/20.jpg)
Keystone future : Grizzly
‣ Implement V3 API‣ auth changes effect and impact every project
‣ consolidate code into Oslo (openstack-common)
‣ help drive consolidated policy and roles changes through all projects
‣ Consolidate policy files‣ focus on documentation, example configurations
Tuesday, October 16, 12
![Page 21: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/21.jpg)
Keystone future : Grizzly
‣ Extend the authorization mechanisms‣ support delegation/impersonation
‣ ActiveDirectory support
‣ externalizing authentication
‣ Moving default token to PKI‣ CLI and common authentication
Tuesday, October 16, 12
![Page 22: Oct 2012 state of project keystone](https://reader033.vdocument.in/reader033/viewer/2022042816/5590e0281a28ab27578b47b5/html5/thumbnails/22.jpg)
Keystone future : Grizzly (learning)
‣ Federation‣ Discussion of use cases and setup
‣ Learn what’s needed to fully support trust delegation
Tuesday, October 16, 12