Presenter: Adam Young1

Openstack Keystone:

Deep Dive &

Coming Attractions

Adam YoungSenior Software Engineer, CloudRed HatJuly 24th, 2012

Presenter: Adam Young2

Agenda

● Overview

● Code Layout

● Tokens

● Folsom Blueprints

Presenter: Adam Young3

Openstack Overview

Presenter: Adam Young4

Keystone: Identity Management Server

Presenter: Adam Young5

Keystone Domain Model

Presenter: Adam Young6

Code Layout

Presenter: Adam Young7

WSGI Mapping

Presenter: Adam Young8

Contrib

● Authorization Mechanism● EC2 -> Token● S3 -> Token● Swift

● CRUD● Admin

● Services● Endpoints● Roles

● User:● Change Password

Presenter: Adam Young9

Persistence Backends

● KVS: Key Value Store● In Memory

● Memcached

● SQL● SQLite and MySQL● PostGRES WIP

● LDAP● Identity only● Start for Active Directory

Presenter: Adam Young10

Tokens

● UUID

● Stored in DB

● Verified Online

● Shared Secret

Presenter: Adam Young11

Token: Request

Presenter: Adam Young12

Token: Authenticated

Presenter: Adam Young13

Token:Request for Service

Presenter: Adam Young14

Token: Verification

Presenter: Adam Young15

Token:Verified

Presenter: Adam Young16

Token: Response from Service

Presenter: Adam Young17

Auth Token Middleware

Presenter: Adam Young18

EC2 Token Middleware

Presenter: Adam Young19

Tokens: Pros and Cons

● Pros● Instantly Revocable● Small (ish)

● Cons● Needs network to verify● Keystone becomes chokepoint● Is UUID Random

Chattiest Part of Openstack

Presenter: Adam Young20

Folsom Blueprints

Presenter: Adam Young21

Keystone API V3

● Emphasize URLS: fully Qualified Resource Location

● Rename Tenants back to Projects

● Clear associations between projects, users and credentials

● Policy implementation specific API

● Many Aspects Deferred

● Priority for Grizzly

Presenter: Adam Young22

PKIS Signed Tokens: Implementation

● Cryptographically Signed Text● Crypto Message Syntax (SMIME)● Contents of “Verify”● Signed with Keystone Private Key● Verified using

● OpenSSL● Public Certificate

● Can also be verified using HTTP

Presenter: Adam Young23

PKI Signed Tokens: Crypto Commands

● Sign

openssl cms -sign -in auth_token.json -nosmimecap -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts -noattr -out auth_token.signed

● Verify

openssl cms -verify -in auth_token.signed -certfile cert.pem -out signedtext.txt -CAfile cacert.pem -inform DER

Presenter: Adam Young24

Token: Online Verification

Presenter: Adam Young25

Token: Offline Verification

Presenter: Adam Young26

Domains:

● ayoung@stoughton Vs ayoung@canton

● Currently One implicit domain

● Grant access from one domain to a ten^H^H^H project in another domain

● Finer grained administration

● True Multiple Tenancy

Presenter: Adam Young27

Policy/Role Based Access Control

● Replace “isAdmin”

● Currently in Nova● Belongs in Keystone

● Register for service:● Roles● Capabilities

● Multiple Tenants and Roles

● Policy is in Keystone● Enforcement is on the

shoulders of Glance, Nova etc

Presenter: Adam Young28

Links

http://keystone.openstack.org/

https://blueprints.launchpad.net/keystone/

https://docs.google.com/document/d/1VP-bTBbwsn6q-rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit

Presenter: Adam Young29

Image Attrbibutions

● http://www.flickr.com/photos/jronaldlee/5216040554/lightbox/

● http://th07.deviantart.net/fs70/PRE/i/2010/098/7/2/Robot_Blueprints_01_by_jordanoth.jpg

● http://followinglesley.files.wordpress.com/2011/03/fake-ttc-tokens.jpg

● http://commons.wikimedia.org/wiki/File:Scroll_Bridge_Keystone_-_geograph.org.uk_-_1299995.jpg

● http://commons.wikimedia.org/wiki/File:Keystone_Grange_of_Barry_bridge_-_geograph.org.uk_-_395082.jpg

● http://xkcd.com/378/

● http://fc00.deviantart.net/fs51/f/2009/322/1/7/signed__sealed____by_kat013.jpg

● http://th01.deviantart.net/fs71/PRE/f/2012/090/2/a/alnwick_castle_by_newcastlemale-d4uie0a.jpg

● http://3.bp.blogspot.com/_V4w18ZWaPas/TN3LvAzfGEI/AAAAAAAAG_Y/YgnCvp9Na08/s1600/Fake-TTC-Tokens.jpg

● http://en.wikipedia.org/wiki/File:Doorman.JPG