Hacking KeystoneVictor Morales
@electrocucarach
Agenda
• Context
• What is keystone?
• History
• Demo
# keystone-manage
# keystone-all
– Installation (operator perspective)
– Installation (developer perspective)
Cloud computing is a
specialized form of
distributed computing that
introduces utilization models for remotely
provisioning scalable and
measured IT resources.
Organization name Month dd, yyyy
Service Models
Deployment models
OpenStack is a cloud
operating system that
controls large pools of
compute, storage, and
networking resources throughout a data center, all managed through a dashboard …
6
Definition
Keystone is the identity service used by
OpenStack for authentication (authN) and
high-level authorization (authZ). It currently
supports token-based authN and user-service
authorization.
If you're interested in identity for OpenStack, we hold public meetings weekly on IRC in #openstack-meeting, on
Tuesdays at 18:00 UTC.
Releases
• Essex: – Supports S3 token validation and additional Swift storage features
• Folsom: – PKI Support for authentication.
• Grizzly:– New API (V3)
• Havana:– General performance improvements
• Icehouse:– The assignments backend has now been completely separated from the identity
backend.
• Juno:– Multiple Identity backends– LDAPs now available– Keystone-to-Keystone Federation(experimental).
API
• catalog
• ec2-credentials– create
– delete
– get
– List
• endpoint– create
– delete
– get
– list
• password
– update
• role– create
– delete
– get
– List
• service– Create
– Delete
– get
– list
• tenant– create
– delete
– get
– List
• token– Get
• user– create
– delete
– Get
– list
– update
– password-update
• user-role– add
– list
– Remove
• discover
• bootstrap
• bash– completition
keystone-all
It starts both the service and administrative APIs in a single
process to provide catalog, authorization, and authentication
services for OpenStack.
--config-dir DIR
Path to a config directory to pull *.conf files from
--config-file PATH
Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence.
keystone-manage
It’s the command line tool which interacts with the Keystone service to initialize and update data within Keystone. Generally, keystone-manage is only used for operations that cannot be accomplished with the HTTP API, such data import/export and database migrations.
Available commands:• db_sync: Sync the database.• db_version: Print the current migration version of the database.• mapping_purge: Purge the identity mapping table.• pki_setup: Initialize the certificates used to sign tokens.• saml_idp_metadata: Generate identity provider metadata.• ssl_setup: Generate certificates for SSL.• token_flush: Purge expired tokens.
Installation 1/2
• Operator perspective (Ubuntu):
# echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/icehouse main" >> /etc/apt/sources.list.d/icehouse.list
# apt-get update
# apt-get -y install ubuntu-cloud-keyring
# apt-get update
# apt-get -y install keystone
Configure /etc/keystone/keystone.conf
# keystone-manage db_sync
# service keystone restart
Installation 2/2
• Developer perspective :
$ sudo apt-get install –y git screen python-pip python-virtualenv python-dev libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev libffi-dev
$ git clone https://github.com/openstack/keystone.git
$ cd keystone
$ python tools/install_venv.py
$ mv etc/keystone.conf.sample etc/keystone.conf
Configure /etc/keystone/keystone.conf
$ tools/with_venv.sh bin/keystone-manage db_sync
$ screen -dmS "keystone_service" tools/with_venv.sh bin/keystone-all