OpenStack GDL : Hacking keystone | 20 Octubre 2014

2. Agenda • Context • What is keystone? • History • Demo # keystone-manage # keystone-all – Installation (operator perspective) – Installation (developer perspective)

3. Cloud computing is a specialized form of distributed computing that introduces utilization models for remotely provisioning scalable and measured IT resources. Organization name Month dd, yyyy

4. Service Models

5. Deployment models

6. OpenStack is a cloud operating system that controls large pools of compute, storage, and networking resources throughout a data center, all managed through a dashboard … 6

9. Definition Keystone is the identity service used by OpenStack for authentication (authN) and high-level authorization (authZ). It currently supports token-based authN and user-service authorization. If you're interested in identity for OpenStack, we hold public meetings weekly on IRC in #openstack-meeting, on Tuesdays at 18:00 UTC.

10. Releases • Essex: – Supports S3 token validation and additional Swift storage features • Folsom: – PKI Support for authentication. • Grizzly: – New API (V3) • Havana: – General performance improvements • Icehouse: – The assignments backend has now been completely separated from the identity backend. • Juno: – Multiple Identity backends – LDAPs now available – Keystone-to-Keystone Federation(experimental).

11. API • catalog • ec2- credentials – create – delete – get – List • endpoint – create – delete – get – list • password – update • role – create – delete – get – List • service – Create – Delete – get – list • tenant – create – delete – get – List • token – Get • user – create – delete – Get – list – update – password-update • user-role – add – list – Remove • discover • bootstrap • bash – completition

12. keystone-all It starts both the service and administrative APIs in a single process to provide catalog, authorization, and authentication services for OpenStack. --config-dir DIR Path to a config directory to pull *.conf files from --config-file PATH Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence.

13. keystone-manage It’s the command line tool which interacts with the Keystone service to initialize and update data within Keystone. Generally, keystone-manage is only used for operations that cannot be accomplished with the HTTP API, such data import/export and database migrations. Available commands: • db_sync: Sync the database. • db_version: Print the current migration version of the database. • mapping_purge: Purge the identity mapping table. • pki_setup: Initialize the certificates used to sign tokens. • saml_idp_metadata: Generate identity provider metadata. • ssl_setup: Generate certificates for SSL. • token_flush: Purge expired tokens.

14. Installation 1/2 • Operator perspective (Ubuntu): # echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/icehouse main" >> /etc/apt/sources.list.d/icehouse.list # apt-get update # apt-get -y install ubuntu-cloud-keyring # apt-get update # apt-get -y install keystone Configure /etc/keystone/keystone.conf # keystone-manage db_sync # service keystone restart

15. Installation 2/2 • Developer perspective : $ sudo apt-get install –y git screen python-pip python-virtualenv python-dev libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev libffi-dev $ git clone https://github.com/openstack/keystone.git $ cd keystone $ python tools/install_venv.py $ mv etc/keystone.conf.sample etc/keystone.conf Configure /etc/keystone/keystone.conf $ tools/with_venv.sh bin/keystone-manage db_sync $ screen -dmS "keystone_service" tools/with_venv.sh bin/keystone-all

Notas del editor

Terms: IT Resource - Physical or virtual IT-related artifact(physical server, software program, virtual server, service, storage device, network device) Virtualization - Physical IT resources to provide multiple virtual images of themselves Scaling in / Scaling out - Scaling represents the ability of the IT resource to gracefully handle increased or decreased usage demands. Cloud - Remote IT environment designed for the purpose of remotely provisioning IT resources On-Premise - IT resource that is not remotely accessible via a cloud. Service - It's a software program that can be remotely invoked via a published technical interface. Cloud Service - Any remotely accessible IT resource is classified as a service. Service Agent - An event-driven program capable of transparently intercepting and processing messages sent to or from services. Characteristics: On-Demand Usage(the freedom to self-provision IT resources) Ubiquitous Access(widely accessible - support for a range of devices, transport protocols, interfaces, and security technologies.) Multi-tenancy and Resourcing Pooling.(IT resources shared by multiple users/tenants) Elasticity (ability of a cloud to gracefully and transparently scale IT resources) Measured Usage (Keep track of the usage of its IT resources by cloud consumers, pay for use monitoring mechanism) Resiliency (failover system)
Cloud computing provides users with access to a shared collection of computing resources: networks for transfer, servers for storage, and applications or services for completing tasks. The compelling features of a cloud are: On-demand self-service: Users can automatically provision needed computing capabilities, such as server time and network storage, without requiring human interaction with each service provider. Network access: Any computing capabilities are available over the network. Many different devices are allowed access through standardized mechanisms. Resource pooling: Multiple users can access clouds that serve other consumers according to demand. Elasticity: Provisioning is rapid and scales out or is based on need. Metered or measured service: Cloud systems can optimize and control resource use at the level that is appropriate for the service. Services include storage, processing, bandwidth, and active user accounts. Monitoring and reporting of resource usage provides transparency for both the provider and consumer of the utilized service.
https://wiki.openstack.org/wiki/Keystone http://keystone.openstack.org/ (http://docs.openstack.org/developer/keystone/) https://github.com/openstack/keystone
Essex: Supports S3 token validation and additional Swift storage features Folsom: PKI Support for authentication. Integration into openstack-common libraries Swift AUTH middleware allowing overrides of authentication. Consolidation of CLI option names to global OpenStack standard(use hyphens) Grizzly: PKI Tokens: PKI-based signed tokens (capable of being validated offline) are the default token format instead of traditional UUID-based tokens New API: Support for Identity API v3 which is deployed identically on both port 5000 and 35357 by default. User groups: manage role assignments for groups of users (managed on Identity API v3, affects both APIs). Domains: a high-level container for projects, users and groups providing namespace isolation and an additional level of role management (managed on Identity API v3, affects both APIs). Trusts: Project-specific role delegation between users, with optional impersonation (Identity API v3 only). Credentials: generic credential storage per user (e.g. EC2, PKI, SSH, etc.) (Identity API v3 only) Policies: a centralized repository for arbitrary policy engine rule sets (Identity API v3 only). Token values no longer appear in URLs (Identity API v3 only). RBAC: policy.json controls are enforced for all Identity API v3 calls. Pluggable authentication: The default 'password' and 'token' authentication modules are now pluggable (Identity API v3 only) and can be easily replaced with custom code, for example to authenticate with an existing system. Plugins can also make calls to the existing identity driver. Authentication at the HTTP API layer is also pluggable in Identity API v3; however, see Known Issues below. External authentication: Keystone trusts externally provided CGI-style REMOTE_USER claims to identify end users. Havana Improved deployment flexibility Authorization data (tenants/projects, roles, role assignments; e.g. SQL) can now be stored in a separate backend, as determined by the "assignments" driver, from authentication data (users, groups; e.g. LDAP), as determined by the "identity" driver Credentials (e.g. ec2 tokens) can now be stored in a separate backend, as determined by the "credentials" driver, from authentication data Ability to specify more granular RBAC policy rules (for example, based on attributes in the API request / response body) Pluggable handling of external authentication using REMOTE_USER Token generation, which is currently either UUID or PKI based, is now pluggable and separated from token persistence. Deployers can write a custom implementation of the keystone.token.provider.Provider interface and configure keystone to use it with [token] provider. As a result, [signing] token_format is now deprecated in favor of this new configuration option. First-class support for deployment behind Apache httpd New deployment features Ability to cache the results of driver calls in a key-value store (for example, memcached or redis) keystone-manage token_flush command to help purge expired tokens New API features Delegated role-based authorization to arbitrary consumers using OAuth 1.0a API clients can now opt out of the service catalog being included in a token response Domain role assignments can now be inherited by that domain's projects Aggregated role assignments API External authentication providers can now embed a binding reference into tokens such that remote services may optionally validate the identity of the user presenting the token against a presented external authentication mechanism. Currently, only kerberos is supported. Endpoints may now be explicitly mapped to projects, effectively preventing certain endpoints from appearing in the service catalog for certain based on the project scope of a token. This does not prevent end users from accessing or using endpoints they are aware of through some other means. Event notifications emitted for user and project/tenant create, update, and delete operations General performance improvements The v2 and v3 API now use the same logic for computing the list of roles assigned to a user-project pair during authentication, based on user+project, group+project, user+domain-inherited, and group+domain-inherited role assignments (where domain-inherited role assignments allow a domain-level role assignment to apply to all projects owned by that domain). The v3 API now uses a similar approach for computing user+domain role assignments for domain-scoped tokens. Logs are handled using a common logging implementation from Oslo-incubator, consistent with other OpenStack projects SQL migrations for extensions can now be managed independently from the primary migration repository using keystone-manage db_sync --extension=«extension-name». Icehouse: New v3 API features /v3/OS-FEDERATION/ allows Keystone to consume federated authentication via Shibboleth for multiple Identity Providers, and mapping federated attributes into OpenStack group-based role assignments (see documentation). POST /v3/users/{user_id}/password allows API users to update their own passwords (see documentation). GET v3/auth/token?nocatalog allows API users to opt-out of receiving the service catalog when performing online token validation (see documentation). /v3/regions provides a public interface for describing multi-region deployments (see documentation). /v3/OS-SIMPLECERT/ now publishes the certificates used for PKI token validation (see documentation). /v3/OS-TRUST/trusts is now capable of providing limited-use delegation via the remaining_uses attribute of trusts. The assignments backend (the source of authorization data) has now been completely separated from the identity backend (the source of authentication data). This means that you can now back your deployment's identity data to LDAP, and your authorization data to SQL, for example. The token KVS driver is now capable of writing to persistent Key-Value stores such as Redis, Cassandra, or MongoDB. Keystone's driver interfaces are now implemented as Abstract Base Classes (ABCs) to make it easier to track compatibility of custom driver implementations across releases. Keystone's default etc/policy.json has been rewritten in an easier to read format. Notifications are now emitted in response to create, update and delete events on roles, groups, and trusts. Custom extensions and driver implementations may now subscribe to internal-only event notifications, including disable events (which are only exposed externally as part of update events). Keystone now emits Cloud Audit Data Federation (CADF) event notifications in response to authentication events. Additional plugins are provided to handle external authentication via REMOTE_USER with respect to single-domain versus multi-domain deployments. policy.json can now perform enforcement on the target domain in a domain-aware operation using, for example, %(target.{entity}.domain_id)s. The LDAP driver for the assignment backend now supports group-based role assignment operations. Keystone now publishes token revocation events in addition to providing continued support for token revocation lists. Token revocation events are designed to consume much less overhead (when compared to token revocation lists) and will enable Keystone eliminate token persistence during the Juno release. Deployers can now define arbitrary limits on the size of collections in API responses (for example, GET /v3/users might be configured to return only 100 users, rather than 10,000). Clients will be informed when truncation has occurred. Lazy translation has been enabled to translating responses according to the requested Accept-Language header. Keystone now emits i18n-ready log messages. Collection filtering is now performed in the driver layer, where possible, for improved performance.
catalog List service catalog, possibly filtered by service. ec2-credentials-create Create EC2-compatible credentials for user per tenant. ec2-credentials-delete Delete EC2-compatible credentials. ec2-credentials-get Display EC2-compatible credentials. ec2-credentials-list List EC2-compatible credentials for a user. endpoint-create Create a new endpoint associated with a service. endpoint-delete Delete a service endpoint. endpoint-get Find endpoint filtered by a specific attribute or service type. endpoint-list List configured service endpoints. password-update Update own password. role-create Create new role. role-delete Delete role. role-get Display role details. role-list List all roles. service-create Add service to Service Catalog. service-delete Delete service from Service Catalog. service-get Display service from Service Catalog. service-list List all services in Service Catalog. tenant-create Create new tenant. tenant-delete Delete tenant. tenant-get Display tenant details. tenant-list List all tenants. tenant-update Update tenant name, description, enabled status. token-get Display the current user token. user-create Create new user. user-delete Delete user. user-get Display user details. user-list List users. user-password-update Update user password. user-role-add Add role to user. user-role-list List roles granted to a user. user-role-remove Remove role from user. user-update Update user's name, email, and enabled status. discover Discover Keystone servers, supported API versions and extensions. bootstrap Grants a new role to a new user on a new tenant, after creating each. bash-completion Prints all of the commands and options to stdout. help Display help about this program or one of its subcommands.
http://docs.openstack.org/developer/keystone/installing.html
http://docs.openstack.org/developer/keystone/installing.html

OpenStack GDL : Hacking keystone | 20 Octubre 2014

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a OpenStack GDL : Hacking keystone | 20 Octubre 2014

Similar a OpenStack GDL : Hacking keystone | 20 Octubre 2014 (20)

Más de Victor Morales

Más de Victor Morales (20)

Último

Último (20)

OpenStack GDL : Hacking keystone | 20 Octubre 2014

Notas del editor