2. Agenda
• Context
• What is keystone?
• History
• Demo
# keystone-manage
# keystone-all
– Installation (operator perspective)
– Installation (developer perspective)
3. Cloud computing is a
specialized form of
distributed computing that
introduces utilization
models for remotely
provisioning scalable and
measured IT resources.
Organization name Month dd, yyyy
6. OpenStack is a cloud
operating system that
controls large pools of
compute, storage, and
networking resources
throughout a data center, all
managed through a dashboard …
6
7.
8.
9. Definition
Keystone is the identity service used by
OpenStack for authentication (authN) and
high-level authorization (authZ). It currently
supports token-based authN and user-service
authorization.
If you're interested in identity for OpenStack, we hold public meetings weekly on IRC in #openstack-meeting, on
Tuesdays at 18:00 UTC.
10. Releases
• Essex:
– Supports S3 token validation and additional Swift storage features
• Folsom:
– PKI Support for authentication.
• Grizzly:
– New API (V3)
• Havana:
– General performance improvements
• Icehouse:
– The assignments backend has now been completely separated from the identity
backend.
• Juno:
– Multiple Identity backends
– LDAPs now available
– Keystone-to-Keystone Federation(experimental).
11. API
• catalog
• ec2-
credentials
– create
– delete
– get
– List
• endpoint
– create
– delete
– get
– list
• password
– update
• role
– create
– delete
– get
– List
• service
– Create
– Delete
– get
– list
• tenant
– create
– delete
– get
– List
• token
– Get
• user
– create
– delete
– Get
– list
– update
– password-update
• user-role
– add
– list
– Remove
• discover
• bootstrap
• bash
– completition
12. keystone-all
It starts both the service and administrative APIs in a single
process to provide catalog, authorization, and authentication
services for OpenStack.
--config-dir DIR
Path to a config directory to pull *.conf files from
--config-file PATH
Path to a config file to use. Multiple config files can be specified,
with values in later files taking precedence.
13. keystone-manage
It’s the command line tool which interacts with the Keystone service to
initialize and update data within Keystone. Generally, keystone-manage
is only used for operations that cannot be accomplished with
the HTTP API, such data import/export and database migrations.
Available commands:
• db_sync: Sync the database.
• db_version: Print the current migration version of the database.
• mapping_purge: Purge the identity mapping table.
• pki_setup: Initialize the certificates used to sign tokens.
• saml_idp_metadata: Generate identity provider metadata.
• ssl_setup: Generate certificates for SSL.
• token_flush: Purge expired tokens.
Terms:
IT Resource - Physical or virtual IT-related artifact(physical server, software program, virtual server, service, storage device, network device)
Virtualization - Physical IT resources to provide multiple virtual images of themselves
Scaling in / Scaling out - Scaling represents the ability of the IT resource to gracefully handle increased or decreased usage demands.
Cloud - Remote IT environment designed for the purpose of remotely provisioning IT resources
On-Premise - IT resource that is not remotely accessible via a cloud.
Service - It's a software program that can be remotely invoked via a published technical interface.
Cloud Service - Any remotely accessible IT resource is classified as a service.
Service Agent - An event-driven program capable of transparently intercepting and processing messages sent to or from services.
Characteristics:
On-Demand Usage(the freedom to self-provision IT resources)
Ubiquitous Access(widely accessible - support for a range of devices, transport protocols, interfaces, and security technologies.)
Multi-tenancy and Resourcing Pooling.(IT resources shared by multiple users/tenants)
Elasticity (ability of a cloud to gracefully and transparently scale IT resources)
Measured Usage (Keep track of the usage of its IT resources by cloud consumers, pay for use monitoring mechanism)
Resiliency (failover system)
Cloud computing provides users with access to a shared collection of computing resources: networks for transfer, servers for storage, and applications or services for completing tasks.
The compelling features of a cloud are:
On-demand self-service: Users can automatically provision needed computing capabilities, such as server time and network storage, without requiring human interaction with each service provider.
Network access: Any computing capabilities are available over the network. Many different devices are allowed access through standardized mechanisms.
Resource pooling: Multiple users can access clouds that serve other consumers according to demand.
Elasticity: Provisioning is rapid and scales out or is based on need.
Metered or measured service: Cloud systems can optimize and control resource use at the level that is appropriate for the service. Services include storage, processing, bandwidth, and active user accounts. Monitoring and reporting of resource usage provides transparency for both the provider and consumer of the utilized service.
Essex:
Supports S3 token validation and additional Swift storage features
Folsom:
PKI Support for authentication.
Integration into openstack-common libraries
Swift AUTH middleware allowing overrides of authentication.
Consolidation of CLI option names to global OpenStack standard(use hyphens)
Grizzly:
PKI Tokens: PKI-based signed tokens (capable of being validated offline) are the default token format instead of traditional UUID-based tokens
New API: Support for Identity API v3 which is deployed identically on both port 5000 and 35357 by default.
User groups: manage role assignments for groups of users (managed on Identity API v3, affects both APIs).
Domains: a high-level container for projects, users and groups providing namespace isolation and an additional level of role management (managed on Identity API v3, affects both APIs).
Trusts: Project-specific role delegation between users, with optional impersonation (Identity API v3 only).
Credentials: generic credential storage per user (e.g. EC2, PKI, SSH, etc.) (Identity API v3 only)
Policies: a centralized repository for arbitrary policy engine rule sets (Identity API v3 only).
Token values no longer appear in URLs (Identity API v3 only).
RBAC: policy.json controls are enforced for all Identity API v3 calls.
Pluggable authentication: The default 'password' and 'token' authentication modules are now pluggable (Identity API v3 only) and can be easily replaced with custom code, for example to authenticate with an existing system. Plugins can also make calls to the existing identity driver. Authentication at the HTTP API layer is also pluggable in Identity API v3; however, see Known Issues below.
External authentication: Keystone trusts externally provided CGI-style REMOTE_USER claims to identify end users.
Havana
Improved deployment flexibility
Authorization data (tenants/projects, roles, role assignments; e.g. SQL) can now be stored in a separate backend, as determined by the "assignments" driver, from authentication data (users, groups; e.g. LDAP), as determined by the "identity" driver
Credentials (e.g. ec2 tokens) can now be stored in a separate backend, as determined by the "credentials" driver, from authentication data
Ability to specify more granular RBAC policy rules (for example, based on attributes in the API request / response body)
Pluggable handling of external authentication using REMOTE_USER
Token generation, which is currently either UUID or PKI based, is now pluggable and separated from token persistence. Deployers can write a custom implementation of the keystone.token.provider.Provider interface and configure keystone to use it with [token] provider. As a result, [signing] token_format is now deprecated in favor of this new configuration option.
First-class support for deployment behind Apache httpd
New deployment features
Ability to cache the results of driver calls in a key-value store (for example, memcached or redis)
keystone-manage token_flush command to help purge expired tokens
New API features
Delegated role-based authorization to arbitrary consumers using OAuth 1.0a
API clients can now opt out of the service catalog being included in a token response
Domain role assignments can now be inherited by that domain's projects
Aggregated role assignments API
External authentication providers can now embed a binding reference into tokens such that remote services may optionally validate the identity of the user presenting the token against a presented external authentication mechanism. Currently, only kerberos is supported.
Endpoints may now be explicitly mapped to projects, effectively preventing certain endpoints from appearing in the service catalog for certain based on the project scope of a token. This does not prevent end users from accessing or using endpoints they are aware of through some other means.
Event notifications emitted for user and project/tenant create, update, and delete operations
General performance improvements
The v2 and v3 API now use the same logic for computing the list of roles assigned to a user-project pair during authentication, based on user+project, group+project, user+domain-inherited, and group+domain-inherited role assignments (where domain-inherited role assignments allow a domain-level role assignment to apply to all projects owned by that domain). The v3 API now uses a similar approach for computing user+domain role assignments for domain-scoped tokens.
Logs are handled using a common logging implementation from Oslo-incubator, consistent with other OpenStack projects
SQL migrations for extensions can now be managed independently from the primary migration repository using keystone-manage db_sync --extension=«extension-name».
Icehouse:
New v3 API features
/v3/OS-FEDERATION/ allows Keystone to consume federated authentication via Shibboleth for multiple Identity Providers, and mapping federated attributes into OpenStack group-based role assignments (see documentation).
POST /v3/users/{user_id}/password allows API users to update their own passwords (see documentation).
GET v3/auth/token?nocatalog allows API users to opt-out of receiving the service catalog when performing online token validation (see documentation).
/v3/regions provides a public interface for describing multi-region deployments (see documentation).
/v3/OS-SIMPLECERT/ now publishes the certificates used for PKI token validation (see documentation).
/v3/OS-TRUST/trusts is now capable of providing limited-use delegation via the remaining_uses attribute of trusts.
The assignments backend (the source of authorization data) has now been completely separated from the identity backend (the source of authentication data). This means that you can now back your deployment's identity data to LDAP, and your authorization data to SQL, for example.
The token KVS driver is now capable of writing to persistent Key-Value stores such as Redis, Cassandra, or MongoDB.
Keystone's driver interfaces are now implemented as Abstract Base Classes (ABCs) to make it easier to track compatibility of custom driver implementations across releases.
Keystone's default etc/policy.json has been rewritten in an easier to read format.
Notifications are now emitted in response to create, update and delete events on roles, groups, and trusts.
Custom extensions and driver implementations may now subscribe to internal-only event notifications, including disable events (which are only exposed externally as part of update events).
Keystone now emits Cloud Audit Data Federation (CADF) event notifications in response to authentication events.
Additional plugins are provided to handle external authentication via REMOTE_USER with respect to single-domain versus multi-domain deployments.
policy.json can now perform enforcement on the target domain in a domain-aware operation using, for example, %(target.{entity}.domain_id)s.
The LDAP driver for the assignment backend now supports group-based role assignment operations.
Keystone now publishes token revocation events in addition to providing continued support for token revocation lists. Token revocation events are designed to consume much less overhead (when compared to token revocation lists) and will enable Keystone eliminate token persistence during the Juno release.
Deployers can now define arbitrary limits on the size of collections in API responses (for example, GET /v3/users might be configured to return only 100 users, rather than 10,000). Clients will be informed when truncation has occurred.
Lazy translation has been enabled to translating responses according to the requested Accept-Language header.
Keystone now emits i18n-ready log messages.
Collection filtering is now performed in the driver layer, where possible, for improved performance.
catalog List service catalog, possibly filtered by
service.
ec2-credentials-create Create EC2-compatible credentials for user per
tenant.
ec2-credentials-delete Delete EC2-compatible credentials.
ec2-credentials-get Display EC2-compatible credentials.
ec2-credentials-list List EC2-compatible credentials for a user.
endpoint-create Create a new endpoint associated with a service.
endpoint-delete Delete a service endpoint.
endpoint-get Find endpoint filtered by a specific attribute or
service type.
endpoint-list List configured service endpoints.
password-update Update own password.
role-create Create new role.
role-delete Delete role.
role-get Display role details.
role-list List all roles.
service-create Add service to Service Catalog.
service-delete Delete service from Service Catalog.
service-get Display service from Service Catalog.
service-list List all services in Service Catalog.
tenant-create Create new tenant.
tenant-delete Delete tenant.
tenant-get Display tenant details.
tenant-list List all tenants.
tenant-update Update tenant name, description, enabled status.
token-get Display the current user token.
user-create Create new user.
user-delete Delete user.
user-get Display user details.
user-list List users.
user-password-update Update user password.
user-role-add Add role to user.
user-role-list List roles granted to a user.
user-role-remove Remove role from user.
user-update Update user's name, email, and enabled status.
discover Discover Keystone servers, supported API versions
and extensions.
bootstrap Grants a new role to a new user on a new tenant,
after creating each.
bash-completion Prints all of the commands and options to stdout.
help Display help about this program or one of its
subcommands.