One Keystone to Rule Them All

One Keystone To Rule Them All

Priti DesaiOpenStack Evangelista



How to configure Keystone in multiple OpenStack clouds?

What are the Keystone core concepts?

How is Keystone architected in single OpenStack cloud?

What is our keystone architecture in multiple data centers?

What kind of challenges did we come across and how did we address them ?



ComputeImage

Horizon

Neutron

Barbican

Ceilometer

Designate

Swift

User Management



User

curl -s POST https://keystone.com/v3/users

{ "user": { "name": ”john_smith", "password": “password”, "domain_id": "1adafaf" }}


Domain &

Projects

curl -s POST https://keystone.com/v3/domains{ ”domain": { "name": ”domain-A” }}

curl -s POST https://keystone.com/v3/projects{ ”project": { "name": ”project-1”,

“domain”: “domain-A” }}


Roles

curl -s POST https://keystone.com/v3/roles

{ ”role": { "name": ”admin” }}


curl -s PUT https://keystone.com/v3/domains/domain-A/users/john_smith/roles/admin

curl -s PUT https://keystone.com/v3/projects/project-A/users/john_smith/roles/admin


Token

curl -s POST https://keystone.com/v3/auth/tokens{ "auth": { "identity": { "methods": [ "password" ], "password": { "user": { “domain”: { “name”: “domain-A” }, ”name": ”john_smith", "password": "secretsecret" } } } }}

Service Management



Service

curl -s POST https://keystone.com/v3/services

{ ”service": { ”type": ”identity” }}


Regions

curl -s POST https://keystone.com/v3/regions

{ ”region": { ”id": ”uswest” }}


Endpoints

curl -s POST https://keystone.com/v3/endpoints

{ "endpoint": { "interface": "[admin|public|internal]", "name": ”identity admin url", “region”: “uswest”, "url": ”https://keystone.com", "service_id": ”identity" }}

Keystone Architecture Overview



1 2 3

✔ ✔

✔

AuthN/AuthZ Workflow



1

Token Generation

2 3

4

Image

5

VM Creation

6

Token Verification

Token Verification


Now, we have Identity in US-WEST. Should we utilize the same Identity

service in US-EAST? What is Federated Identity and how does it work across two data centers?

Is it possible to deploy Global Identity Service?

Keystone To Keystone Federation




Keystone To Keystone Federation

• Pros– No new Identity

• Cons– Single Point of Failure– Lack of Uniform Workflow


Identity in US-EAST



Identity in US-EAST

• Pros– Highly Available

• Cons– Need Access to Identity (Users and Groups)– SQL Latency– Re-Authentication


Global Identity across

US-WEST & US-EAST



Global Identity

• Pros– Highly Available– Global authentication across US-WEST and US-EAST

• Cons– Token Size– Orchestration – Domain Specific Driver


Endpoint Grouping

• Dynamic Endpoint Attribute Filtering

• Endpoint Properties:– interface– service_id– region_id– Enabled


Endpoint Grouping – Regional Grouping

POST /OS-EP-FILTER/endpoint_groups{ "endpoint_group": { "description": "Creating a group for US-WEST endpoints", "filters": { "region_id": ”us-west" }, "name": "EP-GROUP-US-WEST" }}


Endpoint Grouping – Service Grouping

POST /OS-EP-FILTER/endpoint_groups{ "endpoint_group": { "description": "Creating a group for external service endpoints", "filters": { ”service_id": ”1510ad" }, "name": "EP-GROUP-SERVICE" }}


Endpoint Grouping – OpenStack ServicesPOST /OS-EP-FILTER/endpoint_groups{ "endpoint_group": { "description": "Creating a group for OpenStack services in US-WEST", "filters": { ”service_id": ”1510ad” #Keystone ”service_id": ”2110fc” #Nova ”service_id": ”4210da” #Glance “region_id”: “us-west” }, "name": "EP-GROUP-OpenStack" }}One Keystone To Rule Them All

Endpoint Grouping

• Pros– Significantly Reduces the Token Size

• Cons– Project Provisioning Workflow


Domain Specific Drivers - Juno


Restart Identity Service

Domain Specific Drivers - Kilo

PATCH $OS_URL/domains/$DOMAIN_ID/config -H "X-Auth-Token: $OS_TOKEN" -H "Content-type: application/json" -d’@domain.json'| jq .


Domain Specific Drivers – Kilo{ "config": { "identity": { "driver": "keystone.identity.backends.ldap.Identity" }, "ldap": { "url": "ldaps://symantec.com:636", "user_id_attribute": "uid", "user_tree_dn": “ou=Accounts,dc=openstack,dc=symantec,dc=com", "user_filter": "(memberOf=cn=DomainA,ou=OpenstackDomains,dc=openstack,dc=symantec,dc=com)”, "query_scope": "sub", … } }}One Keystone To Rule Them All


Keystone

Q&ALet’s talk…


Thank You

Priti [email protected]@pritidesai8

mailto:[email protected]

References• Introduction:

– http://www.titanui.com/wp-content/uploads/2014/12/26/Crayon-Drawing-Love-Heart-Vector.jpg

• Keystone Concepts:– http://icons.iconarchive.com/icons/icons-land/vista-people/256/Occupations-Bartender-Male-Light-

icon.png– https://d30y9cdsu7xlg0.cloudfront.net/png/106464-200. png– https://cdn3.iconfinder.com/data/icons/interaction-design/512/Token_2-256. png– http://www.pcmadness.com.au/images/repair_icon.jpg– http://www.iconshock.com/img_jpg/BETA/networking/jpg/256/ role_icon.jpg– https://www.websense.com/content/Assets/Images/master-database- globe.png

• Federated Keystone– https://www.openstack.org/assets/presentation-media/os-federation-final.pdf


http://icons.iconarchive.com/icons/icons-land/vista-people/256/Occupations-Bartender-Male-Light-icon.png






https://d30y9cdsu7xlg0.cloudfront.net/png/106464-200.png

https://d30y9cdsu7xlg0.cloudfront.net/png/106464-200.png

https://cdn3.iconfinder.com/data/icons/interaction-design/512/Token_2-256.png

https://cdn3.iconfinder.com/data/icons/interaction-design/512/Token_2-256.png

http://www.pcmadness.com.au/images/repair_icon.jpg

http://www.pcmadness.com.au/images/repair_icon.jpg

http://www.iconshock.com/img_jpg/BETA/networking/jpg/256/role_icon.jpg

http://www.iconshock.com/img_jpg/BETA/networking/jpg/256/role_icon.jpg

https://www.websense.com/content/Assets/Images/master-database-globe.png

https://www.websense.com/content/Assets/Images/master-database-globe.png

Engineering

One Keystone to Rule Them All