SlideShare uma empresa Scribd logo

OpenStack Keystone

Transferir como PPTX, PDF
D
Deepti Ramakrishna
1 de 18
OpenStack Identity Service Codename: Keystone Deepti Ramakrishna Software Engineer, Intel
What is Keystone? ● Keystone is the identity service used by OpenStack for ● Authentication (authN) ● Authorization (authZ) ● What is the difference between the two? ● Identity service has two primary functions: ● User management ● Service catalog ● In general deployment cases, Keystone will be the first service to be installed
Keystone terminologies ● User ● Users are digital representations of a person, system, or service ● Project/Tenant ● A project is a group used to isolate resources and/or users ● Credentials ● Credentials are data known only by a specific user which proves his or her identity ● E.g: username and password, an authentication token ● Token ● A token is an arbitrary bit of text used to access resources ● Each token has a scope describing accessible resources ● A token may be revoked at any time and is valid for a finite duration
Keystone terminologies - continued ● Role ● Set of assigned user rights and privileges for performing a specific set of operations ● A user token issued by Keystone includes a list of that user’s roles. Services then determine how to interpret those roles. ● Endpoint ● An endpoint is a network-accessible address, usually described by URL, from which services are accessed. ● Service ● An OpenStack service, such as Compute (Nova), Object Storage (Swift), or Image Service (Glance) which provides one or more endpoints through which users can access resources and perform operations. ● Service catalog = Services list + Endpoints
Uses of Identity API ● As a User: ● Get a token ● Get the service catalog ● As an admin: ● Define ● Users ● Projects ● Roles ● Roles for users on a project (RBAC - Role Based Access Control) ● Services, endpoints for services ● As a service: ● Validate a token ● Tracks what services are installed and where to locate them on the network ● Get a trust to impersonate user http://www.slideshare.net/SteveMartinelli1/openstack-toronto-meetup-keystone-101
Keystone sequence diagram http://www.slideshare.net/openstackindia/openstack-keystone-identity-service
Keystone backends https://www.safaribooksonline.com/library/view/identity-authentication-and/9781491941249/ch01.html
Identity backend ● Pluggable architecture ● SQL ● Users are managed by Keystone ● Settings for connecting to a database are handled in keystone.conf file ● Essentially, Keystone is acting as an identity provider ● LDAP (Lightweight Directory Active Protocol) ● Storage and retrieval of Users/Groups info via LDAP ● Keystone will access the LDAP just like any other application that uses the LDAP (System Login, Email, Web Application, etc.) ● Keystone does not act as an identity provider ● Memcached ● Free and open source, high-performance, distributed memory object caching system
Tokens ● All tokens have a payload wrapped in some transport format ● Payload ● Attributes such as uniqueness, identity and authorization ● Transport format ● Necessary package for transmission and validation. Must be URL- friendly ● Token expiration time/life span is configurable in keystone.conf
Token formats - UUID ● UUID - Universally Unique Identifier ● Randomly generated UUID4 values that provide nothing more than uniqueness. Looks like a 32 character string. ● Payload ● UUID4 ● Format ● Hexadecimal ● Pros ● Better user experience ● Cons ● Goes back to keystone server for validation ● E.g: ● 53f7f6ef0cc344b5be706bcc8b1479e1
Token formats - PKI/PKIZ ● PKI - Public Key Infrastructure ● PKI and PKIZ tokens are nearly identical (and in fact share the same payload), but PKIZ tokens add compression to the mix ● Payload ● JSON response that would normally be produced as a result of online token validation ● Format ● CMS (Cryptographic Message Syntax) + [zlib] + base64 ● Pros ● Does not go back to keystone for validation ● Cons ● Complex to setup ● E.g ● MIIKtgYJKoZIhvcNAQcCoIIKpzCCCqMCAQExCTAHBgUrDgMCGjCCCY8GCSqGSIb3DQEHAaCCCYAEggl8eyJhY2Nlc3MiOiB7InRva2VuIj oMFQxNTo1MjowNi43MzMxOTgiLCAiZXhwaXJlcyI6ICIyMDEzLTA1LTMxVDE1OjUyOjA2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW 5bCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYzJjNTliNGQzZDI4NGQ4ZmEwOWYxNjljYjE4MDBlMDYiLCAibmFtZSI6ICJkZW1vIn19L Cb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC4yNy4xMDA6OD http://docs.openstack.org/admin-guide/keystone_certificates_for_pki.html
Identity v3 API ● python-keystoneclient doesn't expose v3 functionalities but python-openstackclient does. ● Term “tenant” is officially replaced with “project” ● New features/concepts: ● Domains ● A high-level container for projects ● Groups ● A container representing a collection of users ● Federation authentication
Useful links ● Current (v3) API ● http://developer.openstack.org/api-ref/identity/v3/ ● Source code ● https://github.com/openstack/keystone ● Blueprints ● https://blueprints.launchpad.net/keystone ● Bugs ● https://bugs.launchpad.net/keystone/+bugs ● Code Review ● https://review.openstack.org/#/q/project:+openstack/keystone
Lab session
CLI commands ● Let’s use OpenStack-client for this lab! ● python-keystoneclient only supports v2 API and not v3 ● Verify Keystone service is running ● $ sudo pgrep -l apache2 ● Admin endpoint ● $ sudo lsof -i | grep 35357 ● Non-admin endpoint ● $ sudo lsof -i | grep 5000 ● Source as a admin (user) of admin (project) ● Check the auth_url ● $ printenv | grep OS_ ● Get a token ● $ openstack token issue ● Show usage of debug command and explain about ● $ openstack --debug cinder list ● Review “X-Auth-Token” and why it is SHA1 encrypted ● Openstack help command ● $ openstack help
CLI commands - continued ● Source as a admin (user) of admin (project) ● Endpoint ● $ openstack endpoint list and $ openstack endpoint show <ENDPOINT-ID or NAME> ● Service ● $ openstack service list and $ openstack service show <SERVICE-ID or NAME> ● Project ● $ openstack project list and $ openstack project show <PROJECT-ID or NAME> ● User ● $ openstack user list and $ openstack user show <USER-ID or NAME> ● $ openstack user role list ● $ openstack user create <NEW-USER-NAME> ● $ openstack user delete <NAME> ● Role ● $ openstack role list and $ openstack role show <ROLE-ID or NAME> ● Source as a demo (user) of demo (project) ● Try some of the above commands and see it doesn’t work! ● List services in the service catalog ● $ openstack catalog list and $ openstack catalog show <CATALOG-ID or NAME> ● Try creating a new user and see how it fails. In fact list users itself fails. ● $ openstack user create <NEW-USER-NAME>
Advanced ● OpenStack Keystone installation and manually configuring other services ● https://www.youtube.com/watch?v=0jNdlSBm1JA OR ● https://www.youtube.com/watch?v=BGsCErR9A2s
Thank You!

Recomendados

OpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesOpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesJalal Mostafa
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Vietnam Open Infrastructure User Group
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 

Recomendados

OpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesOpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesJalal Mostafa
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Vietnam Open Infrastructure User Group
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone JWS Tokens: Past, Present, and Future
Keystone JWS Tokens: Past, Present, and FutureKeystone JWS Tokens: Past, Present, and Future
Keystone JWS Tokens: Past, Present, and FutureLance Bragstad
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버Heungsub Lee
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Vietnam Open Infrastructure User Group
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLuke Marsden
 
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3Ji-Woong Choi
 
Ceph with CloudStack
Ceph with CloudStackCeph with CloudStack
Ceph with CloudStackShapeBlue
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지강 민우
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...Amazon Web Services Korea
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatSpeed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatHostedbyConfluent
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 

Mais conteúdo relacionado

Mais procurados

[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone JWS Tokens: Past, Present, and Future
Keystone JWS Tokens: Past, Present, and FutureKeystone JWS Tokens: Past, Present, and Future
Keystone JWS Tokens: Past, Present, and FutureLance Bragstad
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버Heungsub Lee
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Vietnam Open Infrastructure User Group
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLuke Marsden
 
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3Ji-Woong Choi
 
Ceph with CloudStack
Ceph with CloudStackCeph with CloudStack
Ceph with CloudStackShapeBlue
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지강 민우
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...Amazon Web Services Korea
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatSpeed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatHostedbyConfluent
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 

Mais procurados (20)

[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Keystone JWS Tokens: Past, Present, and Future
Keystone JWS Tokens: Past, Present, and FutureKeystone JWS Tokens: Past, Present, and Future
Keystone JWS Tokens: Past, Present, and Future
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버
[야생의 땅: 듀랑고] 서버 아키텍처 - SPOF 없는 분산 MMORPG 서버
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorial
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service Mesh
 
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3
[오픈소스컨설팅]Docker기초 실습 교육 20181113_v3
 
Ceph with CloudStack
Ceph with CloudStackCeph with CloudStack
Ceph with CloudStack
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지
[IGC 2017] 아마존 구승모 - 게임 엔진으로 서버 제작 및 운영까지
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
쿠키런: 킹덤 대규모 인프라 및 서버 운영 사례 공유 [데브시스터즈 - 레벨 200] - 발표자: 용찬호, R&D 엔지니어, 데브시스터즈 ...
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatSpeed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 

Destaque

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
openstack keystone
openstack keystoneopenstack keystone
openstack keystoneYong Luo
 
Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Arthur Berezin
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 

Destaque (6)

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
 
openstack keystone
openstack keystoneopenstack keystone
openstack keystone
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
 
Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
 

Semelhante a OpenStack Keystone

OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )Mari Kupatadze
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsCisco DevNet
 
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSCRMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSCClément OUDOT
 
airflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxVIJAYAPRABAP
 
Sprint 45 review
Sprint 45 reviewSprint 45 review
Sprint 45 reviewManageIQ
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Leadex Systems
 
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Brian Brazil
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For ArchitectsKevin Brockhoff
 
airflow web UI and CLI.pptx
airflow web UI and CLI.pptxairflow web UI and CLI.pptx
airflow web UI and CLI.pptxVIJAYAPRABAP
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireSimon J Mudd
 
Swarm: Native Docker Clustering
Swarm: Native Docker ClusteringSwarm: Native Docker Clustering
Swarm: Native Docker ClusteringRoyee Tager
 
AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...Luciano Mammino
 

Semelhante a OpenStack Keystone (20)

OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )Oracle GoldenGate Microservices Overview ( with Demo )
Oracle GoldenGate Microservices Overview ( with Demo )
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
 
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSCRMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC
 
airflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptxairflowpresentation1-180717183432.pptx
airflowpresentation1-180717183432.pptx
 
Sprint 45 review
Sprint 45 reviewSprint 45 review
Sprint 45 review
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021
 
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
 
airflow web UI and CLI.pptx
airflow web UI and CLI.pptxairflow web UI and CLI.pptx
airflow web UI and CLI.pptx
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve Martinelli
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the Wire
 
Swarm: Native Docker Clustering
Swarm: Native Docker ClusteringSwarm: Native Docker Clustering
Swarm: Native Docker Clustering
 
AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...
 
Api presentation
Api presentationApi presentation
Api presentation
 

OpenStack Keystone

  • 1. OpenStack Identity Service Codename: Keystone Deepti Ramakrishna Software Engineer, Intel
  • 2. What is Keystone? ● Keystone is the identity service used by OpenStack for ● Authentication (authN) ● Authorization (authZ) ● What is the difference between the two? ● Identity service has two primary functions: ● User management ● Service catalog ● In general deployment cases, Keystone will be the first service to be installed
  • 3. Keystone terminologies ● User ● Users are digital representations of a person, system, or service ● Project/Tenant ● A project is a group used to isolate resources and/or users ● Credentials ● Credentials are data known only by a specific user which proves his or her identity ● E.g: username and password, an authentication token ● Token ● A token is an arbitrary bit of text used to access resources ● Each token has a scope describing accessible resources ● A token may be revoked at any time and is valid for a finite duration
  • 4. Keystone terminologies - continued ● Role ● Set of assigned user rights and privileges for performing a specific set of operations ● A user token issued by Keystone includes a list of that user’s roles. Services then determine how to interpret those roles. ● Endpoint ● An endpoint is a network-accessible address, usually described by URL, from which services are accessed. ● Service ● An OpenStack service, such as Compute (Nova), Object Storage (Swift), or Image Service (Glance) which provides one or more endpoints through which users can access resources and perform operations. ● Service catalog = Services list + Endpoints
  • 5. Uses of Identity API ● As a User: ● Get a token ● Get the service catalog ● As an admin: ● Define ● Users ● Projects ● Roles ● Roles for users on a project (RBAC - Role Based Access Control) ● Services, endpoints for services ● As a service: ● Validate a token ● Tracks what services are installed and where to locate them on the network ● Get a trust to impersonate user http://www.slideshare.net/SteveMartinelli1/openstack-toronto-meetup-keystone-101
  • 8. Identity backend ● Pluggable architecture ● SQL ● Users are managed by Keystone ● Settings for connecting to a database are handled in keystone.conf file ● Essentially, Keystone is acting as an identity provider ● LDAP (Lightweight Directory Active Protocol) ● Storage and retrieval of Users/Groups info via LDAP ● Keystone will access the LDAP just like any other application that uses the LDAP (System Login, Email, Web Application, etc.) ● Keystone does not act as an identity provider ● Memcached ● Free and open source, high-performance, distributed memory object caching system
  • 9. Tokens ● All tokens have a payload wrapped in some transport format ● Payload ● Attributes such as uniqueness, identity and authorization ● Transport format ● Necessary package for transmission and validation. Must be URL- friendly ● Token expiration time/life span is configurable in keystone.conf
  • 10. Token formats - UUID ● UUID - Universally Unique Identifier ● Randomly generated UUID4 values that provide nothing more than uniqueness. Looks like a 32 character string. ● Payload ● UUID4 ● Format ● Hexadecimal ● Pros ● Better user experience ● Cons ● Goes back to keystone server for validation ● E.g: ● 53f7f6ef0cc344b5be706bcc8b1479e1
  • 11. Token formats - PKI/PKIZ ● PKI - Public Key Infrastructure ● PKI and PKIZ tokens are nearly identical (and in fact share the same payload), but PKIZ tokens add compression to the mix ● Payload ● JSON response that would normally be produced as a result of online token validation ● Format ● CMS (Cryptographic Message Syntax) + [zlib] + base64 ● Pros ● Does not go back to keystone for validation ● Cons ● Complex to setup ● E.g ● MIIKtgYJKoZIhvcNAQcCoIIKpzCCCqMCAQExCTAHBgUrDgMCGjCCCY8GCSqGSIb3DQEHAaCCCYAEggl8eyJhY2Nlc3MiOiB7InRva2VuIj oMFQxNTo1MjowNi43MzMxOTgiLCAiZXhwaXJlcyI6ICIyMDEzLTA1LTMxVDE1OjUyOjA2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW 5bCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYzJjNTliNGQzZDI4NGQ4ZmEwOWYxNjljYjE4MDBlMDYiLCAibmFtZSI6ICJkZW1vIn19L Cb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC4yNy4xMDA6OD http://docs.openstack.org/admin-guide/keystone_certificates_for_pki.html
  • 12. Identity v3 API ● python-keystoneclient doesn't expose v3 functionalities but python-openstackclient does. ● Term “tenant” is officially replaced with “project” ● New features/concepts: ● Domains ● A high-level container for projects ● Groups ● A container representing a collection of users ● Federation authentication
  • 13. Useful links ● Current (v3) API ● http://developer.openstack.org/api-ref/identity/v3/ ● Source code ● https://github.com/openstack/keystone ● Blueprints ● https://blueprints.launchpad.net/keystone ● Bugs ● https://bugs.launchpad.net/keystone/+bugs ● Code Review ● https://review.openstack.org/#/q/project:+openstack/keystone
  • 15. CLI commands ● Let’s use OpenStack-client for this lab! ● python-keystoneclient only supports v2 API and not v3 ● Verify Keystone service is running ● $ sudo pgrep -l apache2 ● Admin endpoint ● $ sudo lsof -i | grep 35357 ● Non-admin endpoint ● $ sudo lsof -i | grep 5000 ● Source as a admin (user) of admin (project) ● Check the auth_url ● $ printenv | grep OS_ ● Get a token ● $ openstack token issue ● Show usage of debug command and explain about ● $ openstack --debug cinder list ● Review “X-Auth-Token” and why it is SHA1 encrypted ● Openstack help command ● $ openstack help
  • 16. CLI commands - continued ● Source as a admin (user) of admin (project) ● Endpoint ● $ openstack endpoint list and $ openstack endpoint show <ENDPOINT-ID or NAME> ● Service ● $ openstack service list and $ openstack service show <SERVICE-ID or NAME> ● Project ● $ openstack project list and $ openstack project show <PROJECT-ID or NAME> ● User ● $ openstack user list and $ openstack user show <USER-ID or NAME> ● $ openstack user role list ● $ openstack user create <NEW-USER-NAME> ● $ openstack user delete <NAME> ● Role ● $ openstack role list and $ openstack role show <ROLE-ID or NAME> ● Source as a demo (user) of demo (project) ● Try some of the above commands and see it doesn’t work! ● List services in the service catalog ● $ openstack catalog list and $ openstack catalog show <CATALOG-ID or NAME> ● Try creating a new user and see how it fails. In fact list users itself fails. ● $ openstack user create <NEW-USER-NAME>
  • 17. Advanced ● OpenStack Keystone installation and manually configuring other services ● https://www.youtube.com/watch?v=0jNdlSBm1JA OR ● https://www.youtube.com/watch?v=BGsCErR9A2s