Upload
priti-desai
View
1.197
Download
3
Tags:
Embed Size (px)
Citation preview
One Keystone To Rule Them All
Priti DesaiOpenStack Evangelista
One Keystone To Rule Them All
One Keystone To Rule Them All
How to configure Keystone in multiple OpenStack clouds?
What are the Keystone core concepts?
How is Keystone architected in single OpenStack cloud?
What is our keystone architecture in multiple data centers?
What kind of challenges did we come across and how did we address them ?
One Keystone To Rule Them All
One Keystone To Rule Them All
ComputeImage
Horizon
Neutron
Barbican
Ceilometer
Designate
Swift
User Management
One Keystone To Rule Them All
One Keystone To Rule Them All
User
curl -s POST https://keystone.com/v3/users
{ "user": { "name": ”john_smith", "password": “password”, "domain_id": "1adafaf" }}
One Keystone To Rule Them All
Domain &
Projects
curl -s POST https://keystone.com/v3/domains{ ”domain": { "name": ”domain-A” }}
curl -s POST https://keystone.com/v3/projects{ ”project": { "name": ”project-1”,
“domain”: “domain-A” }}
One Keystone To Rule Them All
Roles
curl -s POST https://keystone.com/v3/roles
{ ”role": { "name": ”admin” }}
One Keystone To Rule Them All
curl -s PUT https://keystone.com/v3/domains/domain-A/users/john_smith/roles/admin
curl -s PUT https://keystone.com/v3/projects/project-A/users/john_smith/roles/admin
One Keystone To Rule Them All
Token
curl -s POST https://keystone.com/v3/auth/tokens{ "auth": { "identity": { "methods": [ "password" ], "password": { "user": { “domain”: { “name”: “domain-A” }, ”name": ”john_smith", "password": "secretsecret" } } } }}
Service Management
One Keystone To Rule Them All
One Keystone To Rule Them All
Service
curl -s POST https://keystone.com/v3/services
{ ”service": { ”type": ”identity” }}
One Keystone To Rule Them All
Regions
curl -s POST https://keystone.com/v3/regions
{ ”region": { ”id": ”uswest” }}
One Keystone To Rule Them All
Endpoints
curl -s POST https://keystone.com/v3/endpoints
{ "endpoint": { "interface": "[admin|public|internal]", "name": ”identity admin url", “region”: “uswest”, "url": ”https://keystone.com", "service_id": ”identity" }}
Keystone Architecture Overview
One Keystone To Rule Them All
One Keystone To Rule Them All
1 2 3
✔ ✔
✔
AuthN/AuthZ Workflow
One Keystone To Rule Them All
One Keystone To Rule Them All
1
Token Generation
2 3
4
Image
5
VM Creation
6
Token Verification
Token Verification
One Keystone To Rule Them All
Now, we have Identity in US-WEST. Should we utilize the same Identity
service in US-EAST? What is Federated Identity and how does it work across two data centers?
Is it possible to deploy Global Identity Service?
Keystone To Keystone Federation
One Keystone To Rule Them All
One Keystone To Rule Them All
One Keystone To Rule Them All
Keystone To Keystone Federation
• Pros– No new Identity
• Cons– Single Point of Failure– Lack of Uniform Workflow
One Keystone To Rule Them All
Identity in US-EAST
One Keystone To Rule Them All
One Keystone To Rule Them All
Identity in US-EAST
• Pros– Highly Available
• Cons– Need Access to Identity (Users and Groups)– SQL Latency– Re-Authentication
One Keystone To Rule Them All
Global Identity across
US-WEST & US-EAST
One Keystone To Rule Them All
One Keystone To Rule Them All
Global Identity
• Pros– Highly Available– Global authentication across US-WEST and US-EAST
• Cons– Token Size– Orchestration – Domain Specific Driver
One Keystone To Rule Them All
Endpoint Grouping
• Dynamic Endpoint Attribute Filtering
• Endpoint Properties:– interface– service_id– region_id– Enabled
One Keystone To Rule Them All
Endpoint Grouping – Regional Grouping
POST /OS-EP-FILTER/endpoint_groups{ "endpoint_group": { "description": "Creating a group for US-WEST endpoints", "filters": { "region_id": ”us-west" }, "name": "EP-GROUP-US-WEST" }}
One Keystone To Rule Them All
Endpoint Grouping – Service Grouping
POST /OS-EP-FILTER/endpoint_groups{ "endpoint_group": { "description": "Creating a group for external service endpoints", "filters": { ”service_id": ”1510ad" }, "name": "EP-GROUP-SERVICE" }}
One Keystone To Rule Them All
Endpoint Grouping – OpenStack ServicesPOST /OS-EP-FILTER/endpoint_groups{ "endpoint_group": { "description": "Creating a group for OpenStack services in US-WEST", "filters": { ”service_id": ”1510ad” #Keystone ”service_id": ”2110fc” #Nova ”service_id": ”4210da” #Glance “region_id”: “us-west” }, "name": "EP-GROUP-OpenStack" }}One Keystone To Rule Them All
Endpoint Grouping
• Pros– Significantly Reduces the Token Size
• Cons– Project Provisioning Workflow
One Keystone To Rule Them All
Domain Specific Drivers - Juno
One Keystone To Rule Them All
Restart Identity Service
Domain Specific Drivers - Kilo
PATCH $OS_URL/domains/$DOMAIN_ID/config -H "X-Auth-Token: $OS_TOKEN" -H "Content-type: application/json" -d’@domain.json'| jq .
One Keystone To Rule Them All
Domain Specific Drivers – Kilo{ "config": { "identity": { "driver": "keystone.identity.backends.ldap.Identity" }, "ldap": { "url": "ldaps://symantec.com:636", "user_id_attribute": "uid", "user_tree_dn": “ou=Accounts,dc=openstack,dc=symantec,dc=com", "user_filter": "(memberOf=cn=DomainA,ou=OpenstackDomains,dc=openstack,dc=symantec,dc=com)”, "query_scope": "sub", … } }}One Keystone To Rule Them All
One Keystone To Rule Them All
Keystone
Q&ALet’s talk…
One Keystone To Rule Them All
References• Introduction:
– http://www.titanui.com/wp-content/uploads/2014/12/26/Crayon-Drawing-Love-Heart-Vector.jpg
• Keystone Concepts:– http://icons.iconarchive.com/icons/icons-land/vista-people/256/Occupations-Bartender-Male-Light-
icon.png– https://d30y9cdsu7xlg0.cloudfront.net/png/106464-200. png– https://cdn3.iconfinder.com/data/icons/interaction-design/512/Token_2-256. png– http://www.pcmadness.com.au/images/repair_icon.jpg– http://www.iconshock.com/img_jpg/BETA/networking/jpg/256/ role_icon.jpg– https://www.websense.com/content/Assets/Images/master-database- globe.png
• Federated Keystone– https://www.openstack.org/assets/presentation-media/os-federation-final.pdf
One Keystone To Rule Them All