Uploading the presentation given at the OpenStack Summit, Austin in April, 2016. The video link is here ,
https://www.openstack.org/videos/video/multi-tenancy-for-docker-containers-with-keystone-and-adding-quota-limits
2. Current authorization mechanism
Username / Password based authentication
Allows user to run any docker command
Or view all provisioned containers
No limit on number of containers / resources used
3. Why multitenancy?
We can use standalone Keystone to provide multitenancy to Docker.
Multitenancy allows users to view/manage only the containers they provisioned
Enables Role Based Access Control (RBAC)
Enables administrator to specify quota – pay as you go model
Can utilize Keystone’s ability to support multiple backend domains
Single sign-on and Hierarchical multitenancy
Not only users-to-container authorization, but also service-to-service authorization that are
running across different containers
4. Keystone services
• Identity – Credential validation
• Resources – Data about Projects and Domains
• Assignment - Roles and Roles-to-Resource assignments
• Token – Manages tokens
• Catalog – Registry of services and end points
• Policy – Rule based authorization
5. Authentication mechanisms
UUID Tokens
• UUID
• Persistent
PKI & PKIZ Tokens (From Grizzly)
• Public Key Infrastructure – Certificate based
• More informative payload but size is huge
• Persistent
Fernet Tokens (From Juno)
• Non-persistent & Symmetric key encryption
• 85% faster than UUID and 89% faster than PKI
6. UUID tokens
Client API Token
Token Generation
User/Pass Verify/Generate/Store
UUID
Send
User/Pass
Cache UUID
locally
UUID
Cache UUID
Keystone
Backend
API Call Validation Request
Send API
request+UUID
Request
UUID
Extract UUID from
Request
UUID Check UUID
and expiry date
Valid?
Process Request
Reject Request
2xx
HTTP
4xx
HTTP
Update Req.
status
Display Req.
Error
Yes
No
API Call Validation response
8. What is Docker
• Enables you to package an application with all its dependencies into a standardized unit
• Docker separates applications from infrastructure using container technology Similar to
how VMs separate the operating system from bare metal
• Runs the same regardless of the environment
Build Ship Run
9. Docker – Key Components
• Docker Demon
• Docker API
• Cli Used to interact with Daemon
• Docker Engine, (Constitutes of all the above)
• Docker Machine – bring up Docker Swarm
• Docker Swarm – Native clustering for Docker
11. Multi-tenancy with keystone
User keystoneDocker HostSwarm
keystoneDocker HostSwarmUser
Authenticate (User, Tenant, Password)
Validate and generate token
Token
Update config.json
with token and tenant
ID
Docker –H swarm url <docker CMD>
List tenants
List tenant to which token has access
Check keystone’s tenant
list for user’s tenant
Ensure that Tenants are
isolated from each other,
Each tenant can only
manage and link to their
own container Docker <Docker cmd>
12. Timelines and future work
• Implementation of keystone support – In progress
• Explore fernet tokens and include support for the same
• Provide isolated tenant networking capabilities
• Provide a framework for dockerized applications to use the multitenancy seamlessly