Upload
kamesh-pemmaraju
View
3.313
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Presenter: Adam Young1
Openstack Keystone:
Deep Dive &
Coming Attractions
Adam YoungSenior Software Engineer, CloudRed HatJuly 24th, 2012
Presenter: Adam Young2
Agenda
● Overview
● Code Layout
● Tokens
● Folsom Blueprints
Presenter: Adam Young3
Openstack Overview
Presenter: Adam Young4
Keystone: Identity Management Server
Presenter: Adam Young5
Keystone Domain Model
Presenter: Adam Young6
Code Layout
Presenter: Adam Young7
WSGI Mapping
Presenter: Adam Young8
Contrib
● Authorization Mechanism● EC2 -> Token● S3 -> Token● Swift
● CRUD● Admin
● Services● Endpoints● Roles
● User:● Change Password
Presenter: Adam Young9
Persistence Backends
● KVS: Key Value Store● In Memory
● Memcached
● SQL● SQLite and MySQL● PostGRES WIP
● LDAP● Identity only● Start for Active Directory
Presenter: Adam Young10
Tokens
● UUID
● Stored in DB
● Verified Online
● Shared Secret
Presenter: Adam Young11
Token: Request
Presenter: Adam Young12
Token: Authenticated
Presenter: Adam Young13
Token:Request for Service
Presenter: Adam Young14
Token: Verification
Presenter: Adam Young15
Token:Verified
Presenter: Adam Young16
Token: Response from Service
Presenter: Adam Young17
Auth Token Middleware
Presenter: Adam Young18
EC2 Token Middleware
Presenter: Adam Young19
Tokens: Pros and Cons
● Pros● Instantly Revocable● Small (ish)
● Cons● Needs network to verify● Keystone becomes chokepoint● Is UUID Random
Chattiest Part of Openstack
Presenter: Adam Young20
Folsom Blueprints
Presenter: Adam Young21
Keystone API V3
● Emphasize URLS: fully Qualified Resource Location
● Rename Tenants back to Projects
● Clear associations between projects, users and credentials
● Policy implementation specific API
● Many Aspects Deferred
● Priority for Grizzly
Presenter: Adam Young22
PKIS Signed Tokens: Implementation
● Cryptographically Signed Text● Crypto Message Syntax (SMIME)● Contents of “Verify”● Signed with Keystone Private Key● Verified using
● OpenSSL● Public Certificate
● Can also be verified using HTTP
Presenter: Adam Young23
PKI Signed Tokens: Crypto Commands
● Sign
openssl cms -sign -in auth_token.json -nosmimecap -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts -noattr -out auth_token.signed
● Verify
openssl cms -verify -in auth_token.signed -certfile cert.pem -out signedtext.txt -CAfile cacert.pem -inform DER
Presenter: Adam Young24
Token: Online Verification
Presenter: Adam Young25
Token: Offline Verification
Presenter: Adam Young26
Domains:
● ayoung@stoughton Vs ayoung@canton
● Currently One implicit domain
● Grant access from one domain to a ten^H^H^H project in another domain
● Finer grained administration
● True Multiple Tenancy
Presenter: Adam Young27
Policy/Role Based Access Control
● Replace “isAdmin”
● Currently in Nova● Belongs in Keystone
● Register for service:● Roles● Capabilities
● Multiple Tenants and Roles
● Policy is in Keystone● Enforcement is on the
shoulders of Glance, Nova etc
Presenter: Adam Young28
Links
http://keystone.openstack.org/
https://blueprints.launchpad.net/keystone/
https://docs.google.com/document/d/1VP-bTBbwsn6q-rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit
Presenter: Adam Young29
Image Attrbibutions
● http://www.flickr.com/photos/jronaldlee/5216040554/lightbox/
● http://th07.deviantart.net/fs70/PRE/i/2010/098/7/2/Robot_Blueprints_01_by_jordanoth.jpg
● http://followinglesley.files.wordpress.com/2011/03/fake-ttc-tokens.jpg
● http://commons.wikimedia.org/wiki/File:Scroll_Bridge_Keystone_-_geograph.org.uk_-_1299995.jpg
● http://commons.wikimedia.org/wiki/File:Keystone_Grange_of_Barry_bridge_-_geograph.org.uk_-_395082.jpg
● http://xkcd.com/378/
● http://fc00.deviantart.net/fs51/f/2009/322/1/7/signed__sealed____by_kat013.jpg
● http://th01.deviantart.net/fs71/PRE/f/2012/090/2/a/alnwick_castle_by_newcastlemale-d4uie0a.jpg
● http://3.bp.blogspot.com/_V4w18ZWaPas/TN3LvAzfGEI/AAAAAAAAG_Y/YgnCvp9Na08/s1600/Fake-TTC-Tokens.jpg
● http://en.wikipedia.org/wiki/File:Doorman.JPG