SlideShare uma empresa Scribd logo

OpenStack Toronto Meetup - Keystone 101

Transferir como PPTX, PDF
Steve Martinelli
Steve Martinelli

Providing an overview of several different Openstack Keystone concepts, presented at a local Toronto meetup, circa January 2015)

Tecnologia
1 de 26
OpenStack Toronto Meetup - February Keystone 101 Steve Martinelli Software Developer, IBM Keystone Core Twitter: @stevebot
Agenda ● Who is this guy and what does he do? ● Keystone 101 o Main uses of Keystone o Identity API v2 vs Identity API v3 o Token formats o Token APIs o Identity Backends o Keystone Middleware o Keystone Clients ● IBM’s involvement in OpenStack ● Q & (possibly) A
● Joined what is now the IBM Open Technologies team in December 2012. Primarily focused on contributing code to upstream projects and being good members of the OpenStack community. ● I’m primarily focused in Keystone (Identity program) and OpenStackClient (Command Line). Core reviewer in four projects: keystone, python-openstackclient, oslo.policy, pycadf. ● I’ve also contributed to a few other projects: devstack, infra, ceilometer, oslo.*, and most of the *-specs repositories. If you see something in need of fixing, push up a patch. My typical day… ● TODO: open source, code review/gerrit, tests required, mailing list / IRC, blueprint/spec process, gate status, bug fixes/dev Who is this guy and what does he do?
● Get a token o Token required to access other resources/services o Contains the user's roles on the project ● Get the service catalog o URL to the other service ● Returned by POST /v3/auth/tokens Uses of Identity API – As a user Uses of Identity API – As an admin ● Define ○ Users, Groups ○ Projects ○ Roles ○ Roles for users on projects ○ Services, endpoints for services
● Validate a token ○ auth_token middleware ✓ Works with V2 and V3 tokens ✓ Works with PKI and UUID tokens ✓ Revocation list ✓ Extracts roles, other info from token ○ Supplied by keystonemiddleware package ● Discover other service endpoints ● Get a trust to impersonate user Uses of Identity API – As a service Keystone APIs are hosted here: http://specs.openstack.org/openstack/keystone-specs/
{ "serviceCatalog": [ { "endpoints": [ { "adminURL": "http: //swift.admin-nets.local: 8080/", "region": "RegionOne", "internalURL": "http: //127.0.0.1: 8080/v1/AUTH_1", "publicURL": "http: //swift.publicinternets.com/v1/AUTH_1" } ], "type": "object-store", "name": "swift" }, { "endpoints": [ { "adminURL": "http: //cdn.admin-nets.local:35357/v2.0", "region": "RegionOne", "internalURL": " http: //cdn.admin-nets.local:5000/v2.0 ", "publicURL": " http: //cdn.admin-nets.local:5000/v2.0 " } ], "type": “identity", "name": “keystone" } ] } Sample Service Catalog
Identity API ● Identity API is a standard, it now has v2 and v3 ● Anyone could implement the Identity API, Keystone is one example ● There is no Keystone V2 or Keystone V3 or a way to upgrade from one to the other! Identity API v2 ● Public API ○ Port 5000 (http://localhost:5000/v2.0) ○ Get tokens, List tenants, very limited ● Admin API, most other Keystone operations, they are admin only ○ (http://localhost:35357/v2.0) Identity API v3 ● Full support for Identity API v2 ● Renamed “tenants” to “projects” ● Token IDs are not in the URL for security, they are in X-Subject-Token header Keystone ● Both “admin” 35357 and “public” 5000 ports ● Protected by RBAC (policy.json) ● Grizzly supports Identity API V3.0, Havana has V3.1, IceHouse is V3.2 Identity API v2 vs Identity API v3 vs Keystone
● Users exist in a backend (SQL/LDAP/Other). ● AuthN: The user authenticates by providing user id and password. ● AuthZ: The user should have a role on a project. ● Keystone returns a token with that is scoped to the role and project. ● The user will pass this token around to the other OpenStack services. Keystone Classic AuthN/AuthZ flow Nova Swift Keystone Auth Plugins: https://github.com/openstack/keystone/tree/master/keystone/auth/plugins Auth Controller: https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py
● UUID ○ Looks like a 32 character string: 468da447bd1c4821bbc5def0498fd441 ○ Pros: ✓ Better user experience ✓ No problem with token length ○ Cons: ✓ Goes back to Keystone server for validation ○ How the Provider creates an ID: Token Formats Common Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py UUID Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/uuid.py Token Model: https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py
● PKI ○ Looks like: MIIDsAYJKoZIhvcNAQcCoIIDoTCCA50CAQExCTAHBgUrDgMCGjCCAokGCSqGSIb3DQEHAaCCAnoEggJ2ew0KICAgICJhY2Q ogICAgICAgI...EBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChM 7r0iosFscpnfCuc8jGMobyfApz/dZqJnsk4lt1ahlNTpXQeVFxNK/ydKL+tzEjg ○ Pros: ✓ Does not go back to Keystone for validation ○ Cons: ✓ Complex to setup ✓ Several problems with length - had caused issues with swift and horizon ○ How the Provider creates an ID: Token Formats Common Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py PKI Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/pki.py Token Model: https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py
● PKIz ○ Compressed version of PKI ○ Looks similar to PKI, but slightly shorter ○ How the Provider creates an ID: Token Formats Common Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py PKIz Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/pkiz.py Token Model: https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py
● KLWT (Keystone Lightweight Token) ○ New in Kilo!! The code isn’t even merged yet, but it should be by feature freeze. ○ Doesn’t actually store tokens in any database! ○ The token consists of a bunch of data that is signed and hashed: Data is: (user_id, scope_id, issued_at, *expires_at*, audit_ids) ○ Token Format prefix: KLWT00 for regular token, KLWT01 for trusts, etc. ○ Keystone middleware must be updated to provide the ability to decrypt the token To be implemented Token Formats Common Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py Token Model: https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py
● /v3/auth/tokens ○ POST – authenticate to get a token ○ GET – validate a token ○ HEAD – validate a token (no data) ○ DELETE – invalidate a token Request endpoint and HTTP method: POST http://localhost:5000/v3/auth/tokens Request body: { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "admin", "domain": { "id": "default" }, "password": "adminpassword" } } }, "scope": { "project": { "name": "demo", "domain": { "id": "default" } } } } } Token APIs and Request << Methods describes the authentication plugin that is being used. Aside from password, other valid options are `token`, `external`, and a few other experimental ones. << Scope describes the what the user wants the returned token to be valid on. Scopes can be a project or domain. Scope can be one of the following: 1) Project ID 2) Domain ID 3) Project Name + Domain ID 4) Project Name + Domain Name
{ "token": { "methods": [ "password" ], "roles": [{ "id": "c703057be878458588961ce9a0ce686b", "name": "admin"} ], "expires_at": "2014-06-10T2:55:16.806001Z", "project": { "domain": { "id": "default", "name": "Default" }, "id": "8538a3f13f9541b28c2620eb19065e45", "name": "admin" }, "catalog": [ { "endpoints": [{ "url": "http://localhost:5000/v2.0", "region": "RegionOne", "interface": "public", "id": "ef303187fc8d41668f25199c298396a5"} ], "type": "identity", "id": "bd73972c0e14fb69bae8ff76e112a90", "name": "keystone" } ], "user": { "domain": { "id": "default", "name": "Default" }, "id": "3ec3164f750146be97f21559ee4d9c51", "name": "admin" }, "issued_at": "201406-10T20:55:16.806027Z" } } Analyzing the token response Keystone returns the ID of the Token in the X-Subject-Token header, and the token content in the body. << Roles represents the roles that the user has on the resource. << Project represents the resource the user has a role on. From the scope in the request. << Catalog describes the different services a user may access, and their various endpoints. Services may be: compute, identity, image, orchestration, etc. << User represents the user that was issued the token.
● Users are managed by Keystone ● Settings for connecting to a database are handled in Keystone’s config file ● Essentially, Keystone is acting as an Identity Provider ● Pros: o Easy to setup o Easier management of users and groups ● Cons: o Keystone shouldn’t be an Identity Provider o Weak password support ✓ No password rotation ✓ No password recovery o Most enterprises have an LDAP they want to use o Yet another username and password users must remember Identity Backends - SQL SQL Backend: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py
● Keystone accessing LDAP should be act just like any other application ● Keystone operations performed on LDAP ○ User/Group lookup (search) ○ Authentication of users (bind) ● What rights does Keystone need in LDAP? ○ Read access to user/group attributes defined in keystone.conf ○ Unprivileged account or anonymous is preferable ○ Access to password hashes is not needed Identity Backends - LDAP - Basics * awesome diagrams provided by nkinder LDAP Backend: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py
Configured Keystone to use our Internal LDAP, and I was able to authenticating with username stevemar@ca.ibm.com and my own intranet password. Listing users in a group: steve:keystone$ openstack user list --group openstackers +-----------+--------------------------------+ | ID | Name | +-----------+--------------------------------+ | 111111111 | user1111@us.ibm.com | | 222222222 | user2222@us.ibm.com | | 333333333 | user3333@us.ibm.com | | 123456789 | stevemar@ca.ibm.com | Listing groups a user belongs to: steve:keystone$ openstack group list --user 123456789 +-----------+--------------------------------+ | ID | Name | +-----------+--------------------------------+ | 444444444 | vpn-users | | 555555555 | openstackers | | 666666666 | softwaregroup_canada | *Slight changes made to names/emails/ids Identity Backends - LDAP - Example
● A common authentication protocol in use between the OpenStack projects. o Added to the paste pipeline of other projects Keystone Auth Token Middleware Middleware example config: http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration Middleware __call__: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L783 Middleware validate: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L929
● KeystoneClient (python-keystoneclient) ○ Essentially two parts: a library, and a command line ○ The library supports V2 & V3 API Modules can be imported and used like any other python library. ○ KeystoneClient’s CLI supports only Identity V2 ● OpenStackClient (python-openstackclient) ○ Strictly a command line, supports Identity V2 and V3 ○ Leverages the libraries that KeystoneClient supports ○ Also supports Nova/Glance/Cinder/Swift/etc… ○ Community direction is to create a common CLI. Keystone Clients OpenStackClient: http://docs.openstack.org/developer/python-openstackclient/ KeystonClient vs OpenStackClient: https://github.com/openstack/keystone/blob/master/doc/source/cli_examples.rst
Questions? … and hopefully some answers
Backup slides
● Users ○ id, name, description, enabled, mail ○ Enabled attribute can be emulated via group membership ● Groups ○ id, name, description, member ○ id and name are both considered to be unique ● inetOrgPerson (User) example ○ dn: uid=someuser,cn=users,dc=example,dc=com ○ objectclass: inetorgperson ○ uid: someuser (<---- id, name) ○ cn: Some User ○ mail: someuser@example.com (<---- mail) ● Group example ○ dn: cn=Some Group,cn=users,dc=example,dc=com ○ objectclass: group ○ cn: Some User (<---- id, name) ○ description: Some Group (<---- description) ○ member: <user DN> (<---- member) Identity Backends - LDAP - Attributes LDAP Seach function: https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L916-L943
● Domains are a grouping of users, groups, and project ● Now able to configure more than one LDAP backend ● Configure one LDAP per domains ○ Set domain_specific_drivers_enabled = true ○ Domain specific partial config files are placed in: /etc/keystone/domains/keystone.<domain>.conf Identity Backends - LDAP - Enhancements * awesome diagrams provided by nkinder LDAP Mapping: https://github.com/openstack/keystone/blob/master/keystone/identity/mapping_backends/sql.py#L23-L25
● Keystone has generic federation capabilities, which allows for external users to be recognized ● Users are not persisted in Keystone, but are created on the fly from external user information provided by a trusted identity provider ● Use-cases ○ Existing internal IdP, Single Sign On ○ Inaccessible LDAP identity source ○ Non-LDAP identity source ● Currently support the following federation protocols: o SAML 2.0 o OpenID Connect Federation OS-FEDERATION API: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html
● Identity Provider (IdP) ○ Trusted provider of identity information ● Service Provider (SP) ○ Service that consumes identity information (Keystone) ● Assertion ○ Trusted representation of identity attributes issued by IdP for consumption by SP ● Using the SAML protocol an Assertion represents identity attributes, whereas the OpenID Connect protocol has Claims. Federation - Concepts * awesome diagrams provided by nkinder Docs for configuring federation: http://docs.openstack.org/developer/keystone/configure_federation.html
● Groups are created in Keystone's identity backend for the purpose of role assignment ○ Mapping establishes group membership ● Federation specific auth URL is used to obtain an unscoped token ○ Simply identifies user and groups ● Unscoped federation token is used to obtain a scoped token ○ Contains group assigned roles Federation * awesome diagrams provided by nkinder Mapping function: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L145-L230

Recomendados

OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 

Recomendados

OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone Kamesh Pemmaraju
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation openstackindia
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directorycjellick
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolCheapSSLsecurity
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Securityopenstackindia
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API SecurityCloudIDSummit
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glanceopenstackstl
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015em_mu
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Stephen Gordon
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!All Things Open
 
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morePower your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morewesley chun
 

Mais conteúdo relacionado

Mais procurados

Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directorycjellick
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolCheapSSLsecurity
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API SecurityCloudIDSummit
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015em_mu
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Stephen Gordon
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 

Mais procurados (20)

Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directory
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API Security
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glance
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 

Semelhante a OpenStack Toronto Meetup - Keystone 101

Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!All Things Open
 
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morePower your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morewesley chun
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Leadex Systems
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIswesley chun
 
Let's build Developer Portal with Backstage
Let's build Developer Portal with BackstageLet's build Developer Portal with Backstage
Let's build Developer Portal with BackstageOpsta
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
how to use openstack api
how to use openstack apihow to use openstack api
how to use openstack apiLiang Bo
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformAntonio Peric-Mazar
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 
George Thiruvathukal, User Experiences with Plone Content Management
George Thiruvathukal, User Experiences with Plone Content Management George Thiruvathukal, User Experiences with Plone Content Management
George Thiruvathukal, User Experiences with Plone Content Management webcontent2007
 

Semelhante a OpenStack Toronto Meetup - Keystone 101 (20)

Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
 
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morePower your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
 
Let's build Developer Portal with Backstage
Let's build Developer Portal with BackstageLet's build Developer Portal with Backstage
Let's build Developer Portal with Backstage
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
how to use openstack api
how to use openstack apihow to use openstack api
how to use openstack api
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
George Thiruvathukal, User Experiences with Plone Content Management
George Thiruvathukal, User Experiences with Plone Content Management George Thiruvathukal, User Experiences with Plone Content Management
George Thiruvathukal, User Experiences with Plone Content Management
 

Último

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Último (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 

OpenStack Toronto Meetup - Keystone 101

  • 1. OpenStack Toronto Meetup - February Keystone 101 Steve Martinelli Software Developer, IBM Keystone Core Twitter: @stevebot
  • 2. Agenda ● Who is this guy and what does he do? ● Keystone 101 o Main uses of Keystone o Identity API v2 vs Identity API v3 o Token formats o Token APIs o Identity Backends o Keystone Middleware o Keystone Clients ● IBM’s involvement in OpenStack ● Q & (possibly) A
  • 3. ● Joined what is now the IBM Open Technologies team in December 2012. Primarily focused on contributing code to upstream projects and being good members of the OpenStack community. ● I’m primarily focused in Keystone (Identity program) and OpenStackClient (Command Line). Core reviewer in four projects: keystone, python-openstackclient, oslo.policy, pycadf. ● I’ve also contributed to a few other projects: devstack, infra, ceilometer, oslo.*, and most of the *-specs repositories. If you see something in need of fixing, push up a patch. My typical day… ● TODO: open source, code review/gerrit, tests required, mailing list / IRC, blueprint/spec process, gate status, bug fixes/dev Who is this guy and what does he do?
  • 4. ● Get a token o Token required to access other resources/services o Contains the user's roles on the project ● Get the service catalog o URL to the other service ● Returned by POST /v3/auth/tokens Uses of Identity API – As a user Uses of Identity API – As an admin ● Define ○ Users, Groups ○ Projects ○ Roles ○ Roles for users on projects ○ Services, endpoints for services
  • 5. ● Validate a token ○ auth_token middleware ✓ Works with V2 and V3 tokens ✓ Works with PKI and UUID tokens ✓ Revocation list ✓ Extracts roles, other info from token ○ Supplied by keystonemiddleware package ● Discover other service endpoints ● Get a trust to impersonate user Uses of Identity API – As a service Keystone APIs are hosted here: http://specs.openstack.org/openstack/keystone-specs/
  • 6. { "serviceCatalog": [ { "endpoints": [ { "adminURL": "http: //swift.admin-nets.local: 8080/", "region": "RegionOne", "internalURL": "http: //127.0.0.1: 8080/v1/AUTH_1", "publicURL": "http: //swift.publicinternets.com/v1/AUTH_1" } ], "type": "object-store", "name": "swift" }, { "endpoints": [ { "adminURL": "http: //cdn.admin-nets.local:35357/v2.0", "region": "RegionOne", "internalURL": " http: //cdn.admin-nets.local:5000/v2.0 ", "publicURL": " http: //cdn.admin-nets.local:5000/v2.0 " } ], "type": “identity", "name": “keystone" } ] } Sample Service Catalog
  • 7. Identity API ● Identity API is a standard, it now has v2 and v3 ● Anyone could implement the Identity API, Keystone is one example ● There is no Keystone V2 or Keystone V3 or a way to upgrade from one to the other! Identity API v2 ● Public API ○ Port 5000 (http://localhost:5000/v2.0) ○ Get tokens, List tenants, very limited ● Admin API, most other Keystone operations, they are admin only ○ (http://localhost:35357/v2.0) Identity API v3 ● Full support for Identity API v2 ● Renamed “tenants” to “projects” ● Token IDs are not in the URL for security, they are in X-Subject-Token header Keystone ● Both “admin” 35357 and “public” 5000 ports ● Protected by RBAC (policy.json) ● Grizzly supports Identity API V3.0, Havana has V3.1, IceHouse is V3.2 Identity API v2 vs Identity API v3 vs Keystone
  • 8. ● Users exist in a backend (SQL/LDAP/Other). ● AuthN: The user authenticates by providing user id and password. ● AuthZ: The user should have a role on a project. ● Keystone returns a token with that is scoped to the role and project. ● The user will pass this token around to the other OpenStack services. Keystone Classic AuthN/AuthZ flow Nova Swift Keystone Auth Plugins: https://github.com/openstack/keystone/tree/master/keystone/auth/plugins Auth Controller: https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py
  • 9. ● UUID ○ Looks like a 32 character string: 468da447bd1c4821bbc5def0498fd441 ○ Pros: ✓ Better user experience ✓ No problem with token length ○ Cons: ✓ Goes back to Keystone server for validation ○ How the Provider creates an ID: Token Formats Common Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py UUID Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/uuid.py Token Model: https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py
  • 10. ● PKI ○ Looks like: MIIDsAYJKoZIhvcNAQcCoIIDoTCCA50CAQExCTAHBgUrDgMCGjCCAokGCSqGSIb3DQEHAaCCAnoEggJ2ew0KICAgICJhY2Q ogICAgICAgI...EBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChM 7r0iosFscpnfCuc8jGMobyfApz/dZqJnsk4lt1ahlNTpXQeVFxNK/ydKL+tzEjg ○ Pros: ✓ Does not go back to Keystone for validation ○ Cons: ✓ Complex to setup ✓ Several problems with length - had caused issues with swift and horizon ○ How the Provider creates an ID: Token Formats Common Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py PKI Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/pki.py Token Model: https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py
  • 11. ● PKIz ○ Compressed version of PKI ○ Looks similar to PKI, but slightly shorter ○ How the Provider creates an ID: Token Formats Common Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py PKIz Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/pkiz.py Token Model: https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py
  • 12. ● KLWT (Keystone Lightweight Token) ○ New in Kilo!! The code isn’t even merged yet, but it should be by feature freeze. ○ Doesn’t actually store tokens in any database! ○ The token consists of a bunch of data that is signed and hashed: Data is: (user_id, scope_id, issued_at, *expires_at*, audit_ids) ○ Token Format prefix: KLWT00 for regular token, KLWT01 for trusts, etc. ○ Keystone middleware must be updated to provide the ability to decrypt the token To be implemented Token Formats Common Provider: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py Token Model: https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py
  • 13. ● /v3/auth/tokens ○ POST – authenticate to get a token ○ GET – validate a token ○ HEAD – validate a token (no data) ○ DELETE – invalidate a token Request endpoint and HTTP method: POST http://localhost:5000/v3/auth/tokens Request body: { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "admin", "domain": { "id": "default" }, "password": "adminpassword" } } }, "scope": { "project": { "name": "demo", "domain": { "id": "default" } } } } } Token APIs and Request << Methods describes the authentication plugin that is being used. Aside from password, other valid options are `token`, `external`, and a few other experimental ones. << Scope describes the what the user wants the returned token to be valid on. Scopes can be a project or domain. Scope can be one of the following: 1) Project ID 2) Domain ID 3) Project Name + Domain ID 4) Project Name + Domain Name
  • 14. { "token": { "methods": [ "password" ], "roles": [{ "id": "c703057be878458588961ce9a0ce686b", "name": "admin"} ], "expires_at": "2014-06-10T2:55:16.806001Z", "project": { "domain": { "id": "default", "name": "Default" }, "id": "8538a3f13f9541b28c2620eb19065e45", "name": "admin" }, "catalog": [ { "endpoints": [{ "url": "http://localhost:5000/v2.0", "region": "RegionOne", "interface": "public", "id": "ef303187fc8d41668f25199c298396a5"} ], "type": "identity", "id": "bd73972c0e14fb69bae8ff76e112a90", "name": "keystone" } ], "user": { "domain": { "id": "default", "name": "Default" }, "id": "3ec3164f750146be97f21559ee4d9c51", "name": "admin" }, "issued_at": "201406-10T20:55:16.806027Z" } } Analyzing the token response Keystone returns the ID of the Token in the X-Subject-Token header, and the token content in the body. << Roles represents the roles that the user has on the resource. << Project represents the resource the user has a role on. From the scope in the request. << Catalog describes the different services a user may access, and their various endpoints. Services may be: compute, identity, image, orchestration, etc. << User represents the user that was issued the token.
  • 15. ● Users are managed by Keystone ● Settings for connecting to a database are handled in Keystone’s config file ● Essentially, Keystone is acting as an Identity Provider ● Pros: o Easy to setup o Easier management of users and groups ● Cons: o Keystone shouldn’t be an Identity Provider o Weak password support ✓ No password rotation ✓ No password recovery o Most enterprises have an LDAP they want to use o Yet another username and password users must remember Identity Backends - SQL SQL Backend: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py
  • 16. ● Keystone accessing LDAP should be act just like any other application ● Keystone operations performed on LDAP ○ User/Group lookup (search) ○ Authentication of users (bind) ● What rights does Keystone need in LDAP? ○ Read access to user/group attributes defined in keystone.conf ○ Unprivileged account or anonymous is preferable ○ Access to password hashes is not needed Identity Backends - LDAP - Basics * awesome diagrams provided by nkinder LDAP Backend: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py
  • 17. Configured Keystone to use our Internal LDAP, and I was able to authenticating with username stevemar@ca.ibm.com and my own intranet password. Listing users in a group: steve:keystone$ openstack user list --group openstackers +-----------+--------------------------------+ | ID | Name | +-----------+--------------------------------+ | 111111111 | user1111@us.ibm.com | | 222222222 | user2222@us.ibm.com | | 333333333 | user3333@us.ibm.com | | 123456789 | stevemar@ca.ibm.com | Listing groups a user belongs to: steve:keystone$ openstack group list --user 123456789 +-----------+--------------------------------+ | ID | Name | +-----------+--------------------------------+ | 444444444 | vpn-users | | 555555555 | openstackers | | 666666666 | softwaregroup_canada | *Slight changes made to names/emails/ids Identity Backends - LDAP - Example
  • 18. ● A common authentication protocol in use between the OpenStack projects. o Added to the paste pipeline of other projects Keystone Auth Token Middleware Middleware example config: http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration Middleware __call__: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L783 Middleware validate: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L929
  • 19. ● KeystoneClient (python-keystoneclient) ○ Essentially two parts: a library, and a command line ○ The library supports V2 & V3 API Modules can be imported and used like any other python library. ○ KeystoneClient’s CLI supports only Identity V2 ● OpenStackClient (python-openstackclient) ○ Strictly a command line, supports Identity V2 and V3 ○ Leverages the libraries that KeystoneClient supports ○ Also supports Nova/Glance/Cinder/Swift/etc… ○ Community direction is to create a common CLI. Keystone Clients OpenStackClient: http://docs.openstack.org/developer/python-openstackclient/ KeystonClient vs OpenStackClient: https://github.com/openstack/keystone/blob/master/doc/source/cli_examples.rst
  • 22. ● Users ○ id, name, description, enabled, mail ○ Enabled attribute can be emulated via group membership ● Groups ○ id, name, description, member ○ id and name are both considered to be unique ● inetOrgPerson (User) example ○ dn: uid=someuser,cn=users,dc=example,dc=com ○ objectclass: inetorgperson ○ uid: someuser (<---- id, name) ○ cn: Some User ○ mail: someuser@example.com (<---- mail) ● Group example ○ dn: cn=Some Group,cn=users,dc=example,dc=com ○ objectclass: group ○ cn: Some User (<---- id, name) ○ description: Some Group (<---- description) ○ member: <user DN> (<---- member) Identity Backends - LDAP - Attributes LDAP Seach function: https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L916-L943
  • 23. ● Domains are a grouping of users, groups, and project ● Now able to configure more than one LDAP backend ● Configure one LDAP per domains ○ Set domain_specific_drivers_enabled = true ○ Domain specific partial config files are placed in: /etc/keystone/domains/keystone.<domain>.conf Identity Backends - LDAP - Enhancements * awesome diagrams provided by nkinder LDAP Mapping: https://github.com/openstack/keystone/blob/master/keystone/identity/mapping_backends/sql.py#L23-L25
  • 24. ● Keystone has generic federation capabilities, which allows for external users to be recognized ● Users are not persisted in Keystone, but are created on the fly from external user information provided by a trusted identity provider ● Use-cases ○ Existing internal IdP, Single Sign On ○ Inaccessible LDAP identity source ○ Non-LDAP identity source ● Currently support the following federation protocols: o SAML 2.0 o OpenID Connect Federation OS-FEDERATION API: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html
  • 25. ● Identity Provider (IdP) ○ Trusted provider of identity information ● Service Provider (SP) ○ Service that consumes identity information (Keystone) ● Assertion ○ Trusted representation of identity attributes issued by IdP for consumption by SP ● Using the SAML protocol an Assertion represents identity attributes, whereas the OpenID Connect protocol has Claims. Federation - Concepts * awesome diagrams provided by nkinder Docs for configuring federation: http://docs.openstack.org/developer/keystone/configure_federation.html
  • 26. ● Groups are created in Keystone's identity backend for the purpose of role assignment ○ Mapping establishes group membership ● Federation specific auth URL is used to obtain an unscoped token ○ Simply identifies user and groups ● Unscoped federation token is used to obtain a scoped token ○ Contains group assigned roles Federation * awesome diagrams provided by nkinder Mapping function: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L145-L230

Notas do Editor

  1. *
  2. *
  3. *
  4. *
  5. *
  6. *
  7. *
  8. *
  9. *
  10. *
  11. *
  12. *
  13. *
  14. *
  15. *
  16. *
  17. *
  18. *
  19. *
  20. *
  21. *
  22. *
  23. *
  24. *
  25. *
  26. *