The document summarizes a presentation about the Keystone identity management service in Openstack. The presentation covered an overview of Keystone, its code layout and domain model, how it uses tokens for authentication and authorization, supported backends for persistence, and upcoming features like API version 3 and expanded support for domains, policies, and PKI signed tokens. The presentation concluded with links to more information on Keystone and its roadmap.
9. Persistence Backends
● KVS: Key Value Store
● In Memory
● Memcached
● SQL
● SQLite and MySQL
● PostGRES WIP
● LDAP
● Identity only
● Start for Active Directory
9 Presenter: Adam Young
10. Tokens
● UUID
● Stored in DB
● Verified Online
● Shared Secret
10 Presenter: Adam Young
19. Tokens: Pros and Cons
● Pros
● Instantly Revocable
● Small (ish)
● Cons
● Needs network to verify
● Keystone becomes chokepoint
● Is UUID Random
Chattiest Part of Openstack
19 Presenter: Adam Young
21. Keystone API V3
● Emphasize URLS: fully Qualified Resource Location
● Rename Tenants back to Projects
● Clear associations between projects, users and
credentials
● Policy implementation specific API
● Many Aspects Deferred
● Priority for Grizzly
21 Presenter: Adam Young
22. PKIS Signed Tokens: Implementation
● Cryptographically Signed Text
● Crypto Message Syntax (SMIME)
● Contents of “Verify”
● Signed with Keystone Private Key
● Verified using
● OpenSSL
● Public Certificate
● Can also be verified using HTTP
22 Presenter: Adam Young
23. PKI Signed Tokens: Crypto Commands
● Sign
openssl cms -sign -in auth_token.json -nosmimecap
-signer cert.pem -inkey key.pem -outform DER
-nodetach -nocerts -noattr -out auth_token.signed
● Verify
openssl cms -verify -in auth_token.signed -certfile
cert.pem -out signedtext.txt -CAfile cacert.pem -inform
DER
23 Presenter: Adam Young
26. Domains:
● ayoung@stoughton Vs ayoung@canton
● Currently One implicit domain
● Grant access from one domain to a ten^H^H^H project
in another domain
● Finer grained administration
● True Multiple Tenancy
26 Presenter: Adam Young
27. Policy/Role Based Access Control
● Replace “isAdmin”
● Currently in Nova
● Belongs in Keystone
● Register for service:
● Roles
● Capabilities
● Multiple Tenants and Roles
● Policy is in Keystone
● Enforcement is on the
shoulders of Glance, Nova etc
27 Presenter: Adam Young