Spring 2012 state of project keystone

Friday, April 20, 12

Project Technical LeadJoe Heck

State of the Project: Keystone OpenStack Identity


Who Am I

@heckj

grew up here

choose to livehere

Joe Heck


Outline

‣ Why keystone‣ What is keystone‣ Basic concepts‣ High level architecture‣ Essex release‣ Folsom plans


Why Keystone

‣ the first “openstack common”‣ common internal API expressing relevant identity

information to OpenStack projects‣ need for knowledge of OpenStack service

endpoints


Keystone history

‣ protocols and mechanisms originally disparate in compute and object storage

‣ aggressively prototyped in Diablo release‣ OpenStack internal token-based HTTP API

‣ administrative API

‣ consolidated in Essex release‣ architecture shift to focus on independent drivers

‣ migrated to administrative CRUD operations


What is Keystone

‣ single source of authentication, authorization‣ same account and credentials for starting a VM instance

and accessing a container in object storage

‣ means of expressing API endpoints ‣ basic service catalog


What is Keystone - core internal services

‣ identity‣ policy‣ token ‣ catalog


Basic Concepts - Identity

‣ Tenant == Project‣ basic unit of ownership

‣ collection of resources (vm, volume, container, etc)

‣ User‣ individual or service

‣ identified by basic credentials

‣ Role‣ name relationship between a user and tenant


Basic Concepts - Policy

‣ Policy file - private/internal in Essex‣ Nova, Glance, and Keystone

‣ Simple rule based mechanism for expressing authorization

‣ Enforcement at the services


Basic Concepts - Token

‣ Token‣ arbitrary string to be used in HTTP headers

‣ identity associated with token retrievable by other OpenStack services

‣ token

‣ user, tenant, roles

‣ catalog


Basic Concepts - Catalog

‣ service --> endpoint‣ OpenStack Services‣ identity

‣ compute

‣ volume

‣ image

‣ ec2

‣ object-store


‣ {u'access': {u'serviceCatalog': [{u'endpoints': [{u'adminURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'internalURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'publicURL': u'http://vol:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Volume Service', u'type': u'volume'}, {u'endpoints': [{u'adminURL': u'http://image:9292/v1', u'internalURL': u'http://image:9292/v1', u'publicURL': u'http://image:9292/v1', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Image Service', u'type': u'image'}, ... ... ... {u'endpoints': [{u'adminURL': u'http://ident:35357/v2.0', u'internalURL': u'http://ident:5000/v2.0', u'publicURL': u'http://ident:5000/v2.0', u'region': u'RegionOne'}], u'endpoints_links': [], u'name': u'Identity Service', u'type': u'identity'}], u'token': {u'expires': u'2012-04-19T00:06:53Z', u'id': u'87d45c4c6e9b445997da68f399b49704', u'tenant': {u'description': None, u'enabled': True, u'id': u'c566cb3adfab4f4a859250f4f7d4f56c', u'name': u'demo'}}, u'user': {u'id': u'30e5d97149cf4621b9dbeb7681917aed', u'name': u'frank', u'roles': [{u'id': u'089c23c4f82f4c9d8882f6919dd51103', u'name': u'Admin'}, {u'id': u'da104b278a2b463e89dd5e072740702e', u'name': u'Member'}], u'roles_links': [], u'username': u'frank'}}}

HTTP_X_AUTH_TOKEN: 87d45c4c6e9b445997da68f399b49704


http://proxy:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c'

http://proxy:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c'

http://proxy.env3.mview.int.nebula.com:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c'

http://proxy.env3.mview.int.nebula.com:8776/v1/c566cb3adfab4f4a859250f4f7d4f56c'

http://proxy:9292/v1'




http://proxy.env3.mview.int.nebula.com:9292/v1'

http://proxy.env3.mview.int.nebula.com:9292/v1'

http://proxy:35357/v2.0'




http://proxy.env3.mview.int.nebula.com:5000/v2.0'

http://proxy.env3.mview.int.nebula.com:5000/v2.0'

High Level Architecture

‣ Typical OpenStack Pattern‣ WSGI Application, configured with Paste

‣ URI routes mapped to configurable backends

‣ Configurable backends per internal service:

‣ SQL

‣ LDAP

‣ key-value store

‣ ...yours...


High Level Architecture

‣ operational facade to existing systems‣ identity

‣ token

‣ policy

‣ catalog


Essex Backends

‣ Identity‣ SQL, LDAP, PAM, KeyValue

‣ Catalog

‣ SQL, Template, KeyValue

‣ Token

‣ SQL, Memcache, KeyValue

‣ Policy

‣ Rules


Essex Release

‣ API Stability‣ architecture reset - maintained Diablo API compatibility

‣ functional test driven

‣ “auth_token” middleware - rewritten

‣ Operational Focus‣ Additional logging

‣ Basic RBAC “policy” (nova, glance, keystone)


Folsom Plans

‣ theme: steady, stable, tested‣ careful, thoughtful improvement

‣ keep core simple, stable

‣ continued focus on integration tests and stability


Folsom Plans

‣ iterate forward on API‣ Identity‣ domain (collections of tenants)

‣ additional backends (ldap to Active Directory)

‣ authentication enhancements‣ PKI support

‣ multi-factor support


fini


Technology

Spring 2012 state of project keystone