Upload
joseph-heck
View
1.023
Download
3
Tags:
Embed Size (px)
Citation preview
Friday, April 20, 12
Project Technical LeadJoe Heck
State of the Project: Keystone OpenStack Identity
Friday, April 20, 12
Who Am I
@heckj
grew up here
choose to livehere
Joe Heck
Friday, April 20, 12
Outline
‣ Why keystone‣ What is keystone‣ Basic concepts‣ High level architecture‣ Essex release‣ Folsom plans
Friday, April 20, 12
Why Keystone
‣ the first “openstack common”‣ common internal API expressing relevant identity
information to OpenStack projects‣ need for knowledge of OpenStack service
endpoints
Friday, April 20, 12
Keystone history
‣ protocols and mechanisms originally disparate in compute and object storage
‣ aggressively prototyped in Diablo release‣ OpenStack internal token-based HTTP API
‣ administrative API
‣ consolidated in Essex release‣ architecture shift to focus on independent drivers
‣ migrated to administrative CRUD operations
Friday, April 20, 12
What is Keystone
‣ single source of authentication, authorization‣ same account and credentials for starting a VM instance
and accessing a container in object storage
‣ means of expressing API endpoints ‣ basic service catalog
Friday, April 20, 12
What is Keystone - core internal services
‣ identity‣ policy‣ token ‣ catalog
Friday, April 20, 12
Basic Concepts - Identity
‣ Tenant == Project‣ basic unit of ownership
‣ collection of resources (vm, volume, container, etc)
‣ User‣ individual or service
‣ identified by basic credentials
‣ Role‣ name relationship between a user and tenant
Friday, April 20, 12
Basic Concepts - Policy
‣ Policy file - private/internal in Essex‣ Nova, Glance, and Keystone
‣ Simple rule based mechanism for expressing authorization
‣ Enforcement at the services
Friday, April 20, 12
Basic Concepts - Token
‣ Token‣ arbitrary string to be used in HTTP headers
‣ identity associated with token retrievable by other OpenStack services
‣ token
‣ user, tenant, roles
‣ catalog
Friday, April 20, 12
Basic Concepts - Catalog
‣ service --> endpoint‣ OpenStack Services‣ identity
‣ compute
‣ volume
‣ image
‣ ec2
‣ object-store
Friday, April 20, 12
‣ {u'access': {u'serviceCatalog': [{u'endpoints': [{u'adminURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'internalURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'publicURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Volume Service', u'type': u'volume'}, {u'endpoints': [{u'adminURL': u'http://image:9292/v1', u'internalURL': u'http://image:9292/v1', u'publicURL': u'http://image:9292/v1', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Image Service', u'type': u'image'}, ... ... ... {u'endpoints': [{u'adminURL': u'http://ident:35357/v2.0', u'internalURL': u'http://ident:5000/v2.0', u'publicURL': u'http://ident:5000/v2.0', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Identity Service', u'type': u'identity'}], u'token': {u'expires': u'2012-04-19T00:06:53Z', u'id': u'87d45c4c6e9b445997da68f399b49704', u'tenant': {u'description': None, u'enabled': True, u'id': u'c566cb3adfab4f4a859250f4f7d4f56c', u'name': u'demo'}}, u'user': {u'id': u'30e5d97149cf4621b9dbeb7681917aed', u'name': u'frank', u'roles': [{u'id': u'089c23c4f82f4c9d8882f6919dd51103', u'name': u'Admin'}, {u'id': u'da104b278a2b463e89dd5e072740702e', u'name': u'Member'}], u'roles_links': [], u'username': u'frank'}}}
HTTP_X_AUTH_TOKEN: 87d45c4c6e9b445997da68f399b49704
Friday, April 20, 12
High Level Architecture
‣ Typical OpenStack Pattern‣ WSGI Application, configured with Paste
‣ URI routes mapped to configurable backends
‣ Configurable backends per internal service:
‣ SQL
‣ LDAP
‣ key-value store
‣ ...yours...
Friday, April 20, 12
High Level Architecture
‣ operational facade to existing systems‣ identity
‣ token
‣ policy
‣ catalog
Friday, April 20, 12
Essex Backends
‣ Identity‣ SQL, LDAP, PAM, KeyValue
‣ Catalog
‣ SQL, Template, KeyValue
‣ Token
‣ SQL, Memcache, KeyValue
‣ Policy
‣ Rules
Friday, April 20, 12
Essex Release
‣ API Stability‣ architecture reset - maintained Diablo API compatibility
‣ functional test driven
‣ “auth_token” middleware - rewritten
‣ Operational Focus‣ Additional logging
‣ Basic RBAC “policy” (nova, glance, keystone)
Friday, April 20, 12
Folsom Plans
‣ theme: steady, stable, tested‣ careful, thoughtful improvement
‣ keep core simple, stable
‣ continued focus on integration tests and stability
Friday, April 20, 12
Folsom Plans
‣ iterate forward on API‣ Identity‣ domain (collections of tenants)
‣ additional backends (ldap to Active Directory)
‣ authentication enhancements‣ PKI support
‣ multi-factor support
Friday, April 20, 12
fini
Friday, April 20, 12