2. OpenStack Identity
State of the Project: Keystone
Joe Heck
Project Technical Lead
Friday, April 20, 12
3. Who Am I
Joe Heck
choose to live @heckj
here
grew up here
Friday, April 20, 12
4. Outline
‣ Why keystone
‣ What is keystone
‣ Basic concepts
‣ High level architecture
‣ Essex release
‣ Folsom plans
Friday, April 20, 12
5. Why Keystone
‣ the first “openstack common”
‣ common internal API expressing relevant identity
information to OpenStack projects
‣ need for knowledge of OpenStack service
endpoints
Friday, April 20, 12
6. Keystone history
‣ protocols and mechanisms originally disparate in
compute and object storage
‣ aggressively prototyped in Diablo release
‣ OpenStack internal token-based HTTP API
‣ administrative API
‣ consolidated in Essex release
‣ architecture shift to focus on independent drivers
‣ migrated to administrative CRUD operations
Friday, April 20, 12
7. What is Keystone
‣ single source of authentication, authorization
‣ same account and credentials for starting a VM instance
and accessing a container in object storage
‣ means of expressing API endpoints
‣ basic service catalog
Friday, April 20, 12
8. What is Keystone - core internal services
‣ identity
‣ policy
‣ token
‣ catalog
Friday, April 20, 12
9. Basic Concepts - Identity
‣ Tenant == Project
‣ basic unit of ownership
‣ collection of resources (vm, volume, container, etc)
‣ User
‣ individual or service
‣ identified by basic credentials
‣ Role
‣ name relationship between a user and tenant
Friday, April 20, 12
10. Basic Concepts - Policy
‣ Policy file - private/internal in Essex
‣ Nova, Glance, and Keystone
‣ Simple rule based mechanism for expressing
authorization
‣ Enforcement at the services
Friday, April 20, 12
11. Basic Concepts - Token
‣ Token
‣ arbitrary string to be used in HTTP headers
‣ identity associated with token retrievable by other
OpenStack services
‣ token
‣ user, tenant, roles
‣ catalog
Friday, April 20, 12
17. Essex Release
‣ API Stability
‣ architecture reset - maintained Diablo API compatibility
‣ functional test driven
‣ “auth_token” middleware - rewritten
‣ Operational Focus
‣ Additional logging
‣ Basic RBAC “policy” (nova, glance, keystone)
Friday, April 20, 12
18. Folsom Plans
‣ theme: steady, stable, tested
‣ careful, thoughtful improvement
‣ keep core simple, stable
‣ continued focus on integration tests and stability
Friday, April 20, 12
19. Folsom Plans
‣ iterate forward on API
‣ Identity
‣ domain (collections of tenants)
‣ additional backends (ldap to Active Directory)
‣ authentication enhancements
‣ PKI support
‣ multi-factor support
Friday, April 20, 12