APTIRA PRESENTS – OPENSTACK KEYSTONE IDENTITY SERVICEKavit Munshi, CTO, Aptira - @KavitAptira, kavit@aptira.com

WHAT IS KEYSTONE?

Keystone is an OpenStack project that provides Identity, Token, Catalog and Policy services for use specifically by projects in the OpenStack family. It implements OpenStack’s Identity API.

The Identity services has two primary functions:

- User management: keep track of users and what they are permitted to do

- Service catalog: Provide a catalog of what services are available and where their API endpoints are located

KEYSTONE ARCHITECTURE

Keystone is organized as a group of internal services exposed on one or many endpoints.

1) Identity: The Identity service provides auth credential validation and data about Users, Tenants and Roles, as well as any associated metadata.

2) Token: The Token service validates and manages Tokens used for authenticating requests once a user/tenant’s credentials have already been verified.

3) Catalog: The Catalog service provides an endpoint registry used for endpoint discovery.

4) Policy: The Policy service provides a rule-based authorization engine

KEYSTONE ARCHITECTURE

Each of the services can configured to use a backend to allow Keystone to fit a variety of environments and needs. The backend for each service is defined in the keystone.conf file

1) KVS Backend: A simple backend interface meant to be further backended on anything that can support primary key lookups

2) SQL Backend: A SQL based backend using SQLAlchemy to store data persistently.

3) PAM Backend: Extra simple backend that uses the current system’s PAM service to authenticate, providing a one-to-one relationship between Users and Tenants.

4) LDAP Backend: The LDAP backend stored Users and Tenents in separate Subtrees.

5) Templated Backend: A simple Template used to configure Keystone

KEYSTONE ARCHITECTURE

Keystone Architecture Logical Diagram

KEYSTONE ARCHITECTURE

KEYSTONE FLOWCHART

KEYSTONE USER MANAGEMENT

The three main concepts of Identity user management are:

1) Users: A user represents a human user, and has associated information such as username, password and email.

2) Tenants: A tenant can be thought of as a project, group, or organization. Whenever you make requests to OpenStack services, you must specify a tenant.

3) Roles: A role captures what operations a user is permitted to perform in a given tenant.

KEYSTONE SERVICE MANAGEMENT

Keystone also acts as a service catalog to let other OpenStack systems know where relevant API endpoints exist for OpenStack Services. The two main concepts of Identity service management are:

- Services- Endpoints

The Identity service also maintains a user that corresponds to each service (e.g., a user named nova, for the Compute service) and a special service tenant, which is called service.

INSTALLING AND SETTING UP KEYSTONE

Keystone can be either be installed from the source or platform specific packages available with various distributions. For the purposes of this presentation we will use Ubuntu 12.04 with platform specific packages available in the repositories.

- sudo apt-get install keystone- sudo apt-get install python-mysqldb mysql-server (install mysqldb to replace the

default SQL lite DB)- mysql> CREATE DATABASE keystone; (Create mysql database for the keystone to

use)- mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY

'[YOUR_KEYSTONE_PASSWORD]'; (Create mysql user to access the keystone DB)- Change connection line in /etc/keystone.conf

connection = mysql://keystone:[YOUR_KEYSTONE_PASSWORD]@[YOUR_KEYSTONE_SERVER]/keystone

- admin_token = 012345SECRET99TOKEN012345 (Set service token in keystone.conf)- service keystone restart (Restart the keystone service to apply the changes- keystone-manage db_sync (Initialise the new keystone database)

KEYSTONE USER MANAGEMENT

1) Create a user called Kavitkeystone user-create --name=kavit --pass=test123 --email=kavit@aptira.com

2) Create a tenant called testkeystone tenant-create --name=test

3) Create a role to use on our systemkeystone role-create –name=admin

4) Associate the role and the user with the tenantkeystone user-role-add --user=USERID –role=ROLEID –tenant_id=TENANTID

KEYSTONE SERVICE MANAGEMENT

1) Create service tenant. This tenant contains all the services that we make known to the service catalog.keystone tenant-create –name=service

2) Create users for each Openstack service in the service catalogkeystone user-create –name=nova –pass=test123 --email=nova@test.aptira.com

3) Give admin roles to the users nova, glance, etc to the tenant service.

4) Now that we have tenants, users and roles for each of the users, we need to create the services we wish authenticate users for.keystone service-create --name nova --type compute --description ’OpenStack Compute Service’

KEYSTONE SERVICE MANAGEMENT

5) Once the services are created, we will need to associate the endpoints or network addresses where clients might connect to the services offered.

keystone endpoint-create --region myregion --service_id 1e93ee6c70f8468c88a5cb1b106753f3 --publicurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’ --adminurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’ --internalurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’

KEYSTONE WORKFLOW

IMPORTANT RESOURCES AND LINKS

OpenStack keystone developer documentationhttp://docs.openstack.org/developer/keystone/

OpenStack Identity Administration documentationhttp://docs.openstack.org/trunk/openstack-compute/install/content/ch_installing-openstack-identity-service.html

Keystone githubhttp://github.com/openstack/keystone

Keystone Launchpad sitehttps://launchpad.net/keystone

Aptirahttp://aptira.com

THE END