SlideShare une entreprise Scribd logo

Openstack Keystone Deep Dive & Coming Attractions

Kamesh Pemmaraju
Kamesh Pemmaraju

The document summarizes a presentation about the Keystone identity management service in Openstack. The presentation covered an overview of Keystone, its code layout and domain model, how it uses tokens for authentication and authorization, supported backends for persistence, and upcoming features like API version 3 and expanded support for domains, policies, and PKI signed tokens. The presentation concluded with links to more information on Keystone and its roadmap.

Technologie
1  sur  29
Télécharger pour lire hors ligne
Openstack Keystone: Deep Dive & Coming Attractions Adam Young Senior Software Engineer, Cloud Red Hat July 24th, 2012 1 Presenter: Adam Young
Agenda ● Overview ● Code Layout ● Tokens ● Folsom Blueprints 2 Presenter: Adam Young
Openstack Overview 3 Presenter: Adam Young
Keystone: Identity Management Server 4 Presenter: Adam Young
Keystone Domain Model 5 Presenter: Adam Young
Code Layout 6 Presenter: Adam Young
WSGI Mapping 7 Presenter: Adam Young
Contrib ● Authorization Mechanism ● EC2 -> Token ● S3 -> Token ● Swift ● CRUD ● Admin ● Services ● Endpoints ● Roles ● User: ● Change Password 8 Presenter: Adam Young
Persistence Backends ● KVS: Key Value Store ● In Memory ● Memcached ● SQL ● SQLite and MySQL ● PostGRES WIP ● LDAP ● Identity only ● Start for Active Directory 9 Presenter: Adam Young
Tokens ● UUID ● Stored in DB ● Verified Online ● Shared Secret 10 Presenter: Adam Young
Token: Request 11 Presenter: Adam Young
Token: Authenticated 12 Presenter: Adam Young
Token:Request for Service 13 Presenter: Adam Young
Token: Verification 14 Presenter: Adam Young
Token:Verified 15 Presenter: Adam Young
Token: Response from Service 16 Presenter: Adam Young
Auth Token Middleware 17 Presenter: Adam Young
EC2 Token Middleware 18 Presenter: Adam Young
Tokens: Pros and Cons ● Pros ● Instantly Revocable ● Small (ish) ● Cons ● Needs network to verify ● Keystone becomes chokepoint ● Is UUID Random Chattiest Part of Openstack 19 Presenter: Adam Young
Folsom Blueprints 20 Presenter: Adam Young
Keystone API V3 ● Emphasize URLS: fully Qualified Resource Location ● Rename Tenants back to Projects ● Clear associations between projects, users and credentials ● Policy implementation specific API ● Many Aspects Deferred ● Priority for Grizzly 21 Presenter: Adam Young
PKIS Signed Tokens: Implementation ● Cryptographically Signed Text ● Crypto Message Syntax (SMIME) ● Contents of “Verify” ● Signed with Keystone Private Key ● Verified using ● OpenSSL ● Public Certificate ● Can also be verified using HTTP 22 Presenter: Adam Young
PKI Signed Tokens: Crypto Commands ● Sign openssl cms -sign -in auth_token.json -nosmimecap -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts -noattr -out auth_token.signed ● Verify openssl cms -verify -in auth_token.signed -certfile cert.pem -out signedtext.txt -CAfile cacert.pem -inform DER 23 Presenter: Adam Young
Token: Online Verification 24 Presenter: Adam Young
Token: Offline Verification 25 Presenter: Adam Young
Domains: ● ayoung@stoughton Vs ayoung@canton ● Currently One implicit domain ● Grant access from one domain to a ten^H^H^H project in another domain ● Finer grained administration ● True Multiple Tenancy 26 Presenter: Adam Young
Policy/Role Based Access Control ● Replace “isAdmin” ● Currently in Nova ● Belongs in Keystone ● Register for service: ● Roles ● Capabilities ● Multiple Tenants and Roles ● Policy is in Keystone ● Enforcement is on the shoulders of Glance, Nova etc 27 Presenter: Adam Young
Links http://keystone.openstack.org/ https://blueprints.launchpad.net/keystone/ https://docs.google.com/document/d/1VP-bTBbwsn6q- rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit 28 Presenter: Adam Young
Image Attrbibutions ● http://www.flickr.com/photos/jronaldlee/5216040554/lightbox/ ● http://th07.deviantart.net/fs70/PRE/i/2010/098/7/2/Robot_Blueprints_01_by_jordanoth.jpg ● http://followinglesley.files.wordpress.com/2011/03/fake-ttc-tokens.jpg ● http://commons.wikimedia.org/wiki/File:Scroll_Bridge_Keystone_-_geograph.org.uk_-_1299995.jpg ● http://commons.wikimedia.org/wiki/File:Keystone_Grange_of_Barry_bridge_-_geograph.org.uk_-_395082.jpg ● http://xkcd.com/378/ ● http://fc00.deviantart.net/fs51/f/2009/322/1/7/signed__sealed____by_kat013.jpg ● http://th01.deviantart.net/fs71/PRE/f/2012/090/2/a/alnwick_castle_by_newcastlemale-d4uie0a.jpg ● http://3.bp.blogspot.com/_V4w18ZWaPas/TN3LvAzfGEI/AAAAAAAAG_Y/YgnCvp9Na08/s1600/Fake-TTC-Tokens.jpg ● http://en.wikipedia.org/wiki/File:Doorman.JPG 29 Presenter: Adam Young

Recommandé

OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
Istio (service mesh) why and how
Istio (service mesh) why and howIstio (service mesh) why and how
Istio (service mesh) why and howMilan Das
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutronmarkmcclain
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation openstackindia
 

Recommandé

OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
Istio (service mesh) why and how
Istio (service mesh) why and howIstio (service mesh) why and how
Istio (service mesh) why and howMilan Das
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutronmarkmcclain
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation openstackindia
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineeredopenstackindia
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Microservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraMicroservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraJorge Bay Gondra
 
Multi tenancy for docker
Multi tenancy for dockerMulti tenancy for docker
Multi tenancy for dockerAnanth Padmanabhan
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introductionopenstackindia
 
Service Discovery In Kubernetes
Service Discovery In KubernetesService Discovery In Kubernetes
Service Discovery In KubernetesKnoldus Inc.
 
Openstack 101
Openstack 101Openstack 101
Openstack 101Kamesh Pemmaraju
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2Elana Krasner
 
WSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product OverviewWSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product OverviewWSO2
 
Introducing OpenStack for Beginners
Introducing OpenStack for Beginners Introducing OpenStack for Beginners
Introducing OpenStack for Beginners openstackindia
 
GWT Enterprise Edition
GWT Enterprise EditionGWT Enterprise Edition
GWT Enterprise EditionGilad Garon
 
Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016Opsta
 
Docker+java
Docker+javaDocker+java
Docker+javaDPC Consulting Ltd
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glanceopenstackstl
 
Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Keith Tobin
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB PluginBIM
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
Confluent Platform Security Components
Confluent Platform Security ComponentsConfluent Platform Security Components
Confluent Platform Security Componentsconfluent
 
openstack keystone
openstack keystoneopenstack keystone
openstack keystoneYong Luo
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 

Contenu connexe

Tendances

OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineeredopenstackindia
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Dries Elliott
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Microservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraMicroservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraJorge Bay Gondra
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introductionopenstackindia
 
Service Discovery In Kubernetes
Service Discovery In KubernetesService Discovery In Kubernetes
Service Discovery In KubernetesKnoldus Inc.
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2Elana Krasner
 
WSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product OverviewWSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product OverviewWSO2
 
Introducing OpenStack for Beginners
Introducing OpenStack for Beginners Introducing OpenStack for Beginners
Introducing OpenStack for Beginners openstackindia
 
GWT Enterprise Edition
GWT Enterprise EditionGWT Enterprise Edition
GWT Enterprise EditionGilad Garon
 
Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016Opsta
 
Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Keith Tobin
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB PluginBIM
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
Confluent Platform Security Components
Confluent Platform Security ComponentsConfluent Platform Security Components
Confluent Platform Security Componentsconfluent
 

Tendances (20)

OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineered
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Microservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraMicroservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache Cassandra
 
Multi tenancy for docker
Multi tenancy for dockerMulti tenancy for docker
Multi tenancy for docker
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introduction
 
Service Discovery In Kubernetes
Service Discovery In KubernetesService Discovery In Kubernetes
Service Discovery In Kubernetes
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
 
WSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product OverviewWSO2 Enterprise Service Bus - Product Overview
WSO2 Enterprise Service Bus - Product Overview
 
Introducing OpenStack for Beginners
Introducing OpenStack for Beginners Introducing OpenStack for Beginners
Introducing OpenStack for Beginners
 
GWT Enterprise Edition
GWT Enterprise EditionGWT Enterprise Edition
GWT Enterprise Edition
 
Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016
 
Docker+java
Docker+javaDocker+java
Docker+java
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
 
OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glance
 
Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)Openstack architecture for the enterprise (Openstack Ireland Meet-up)
Openstack architecture for the enterprise (Openstack Ireland Meet-up)
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB Plugin
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networking
 
Confluent Platform Security Components
Confluent Platform Security ComponentsConfluent Platform Security Components
Confluent Platform Security Components
 

En vedette

openstack keystone
openstack keystoneopenstack keystone
openstack keystoneYong Luo
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Arthur Berezin
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 
OpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesOpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesJalal Mostafa
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 

En vedette (7)

openstack keystone
openstack keystoneopenstack keystone
openstack keystone
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
 
OpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesOpenStack Architecture and Use Cases
OpenStack Architecture and Use Cases
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 

Similaire à Openstack Keystone Deep Dive & Coming Attractions

Cloud Native Practice
Cloud Native PracticeCloud Native Practice
Cloud Native PracticePhilip Zheng
 
Scale out, with Kubernetes (k8s)
Scale out, with Kubernetes (k8s)Scale out, with Kubernetes (k8s)
Scale out, with Kubernetes (k8s)Arkadiusz Borek
 
AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...Luciano Mammino
 
Chris Homer - Moving the entire stack to k8s within a year – lessons learned
Chris Homer - Moving the entire stack to k8s within a year – lessons learnedChris Homer - Moving the entire stack to k8s within a year – lessons learned
Chris Homer - Moving the entire stack to k8s within a year – lessons learnedDariia Seimova
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfJesús Ángel Samitier
 
Docker. Does it matter for Java developer ?
Docker. Does it matter for Java developer ?Docker. Does it matter for Java developer ?
Docker. Does it matter for Java developer ?Izzet Mustafaiev
 
Cloud Native Java Development Patterns
Cloud Native Java Development PatternsCloud Native Java Development Patterns
Cloud Native Java Development PatternsBilgin Ibryam
 
Deltacloud Presentation - OSSConf 2010
Deltacloud Presentation - OSSConf 2010Deltacloud Presentation - OSSConf 2010
Deltacloud Presentation - OSSConf 2010Michal Fojtik
 
Secure software supply chain on a shoestring budget
Secure software supply chain on a shoestring budgetSecure software supply chain on a shoestring budget
Secure software supply chain on a shoestring budgetLars Albertsson
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Introduction to Kubernetes Security
Introduction to Kubernetes SecurityIntroduction to Kubernetes Security
Introduction to Kubernetes SecurityAll Things Open
 
From a monolith to microservices + REST: The evolution of LinkedIn's architec...
From a monolith to microservices + REST: The evolution of LinkedIn's architec...From a monolith to microservices + REST: The evolution of LinkedIn's architec...
From a monolith to microservices + REST: The evolution of LinkedIn's architec...Karan Parikh
 
Swarm: Native Docker Clustering
Swarm: Native Docker ClusteringSwarm: Native Docker Clustering
Swarm: Native Docker ClusteringRoyee Tager
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfRussFustino
 
Processing TeraBytes of data every day and sleeping at night
Processing TeraBytes of data every day and sleeping at nightProcessing TeraBytes of data every day and sleeping at night
Processing TeraBytes of data every day and sleeping at nightLuciano Mammino
 
Observability in Java: Getting Started with OpenTelemetry
Observability in Java: Getting Started with OpenTelemetryObservability in Java: Getting Started with OpenTelemetry
Observability in Java: Getting Started with OpenTelemetryDevOps.com
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPNetskope
 
Exploiting IAM in GCP
Exploiting IAM in GCPExploiting IAM in GCP
Exploiting IAM in GCPColin Estep
 

Similaire à Openstack Keystone Deep Dive & Coming Attractions (20)

Cloud Native Practice
Cloud Native PracticeCloud Native Practice
Cloud Native Practice
 
Scale out, with Kubernetes (k8s)
Scale out, with Kubernetes (k8s)Scale out, with Kubernetes (k8s)
Scale out, with Kubernetes (k8s)
 
AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...AWS Lambda and Serverless framework: lessons learned while building a serverl...
AWS Lambda and Serverless framework: lessons learned while building a serverl...
 
Chris Homer - Moving the entire stack to k8s within a year – lessons learned
Chris Homer - Moving the entire stack to k8s within a year – lessons learnedChris Homer - Moving the entire stack to k8s within a year – lessons learned
Chris Homer - Moving the entire stack to k8s within a year – lessons learned
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdf
 
Docker. Does it matter for Java developer ?
Docker. Does it matter for Java developer ?Docker. Does it matter for Java developer ?
Docker. Does it matter for Java developer ?
 
Cloud Native Java Development Patterns
Cloud Native Java Development PatternsCloud Native Java Development Patterns
Cloud Native Java Development Patterns
 
Deltacloud Presentation - OSSConf 2010
Deltacloud Presentation - OSSConf 2010Deltacloud Presentation - OSSConf 2010
Deltacloud Presentation - OSSConf 2010
 
Secure software supply chain on a shoestring budget
Secure software supply chain on a shoestring budgetSecure software supply chain on a shoestring budget
Secure software supply chain on a shoestring budget
 
Using mikrotik with radius
Using mikrotik with radiusUsing mikrotik with radius
Using mikrotik with radius
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Introduction to Kubernetes Security
Introduction to Kubernetes SecurityIntroduction to Kubernetes Security
Introduction to Kubernetes Security
 
From a monolith to microservices + REST: The evolution of LinkedIn's architec...
From a monolith to microservices + REST: The evolution of LinkedIn's architec...From a monolith to microservices + REST: The evolution of LinkedIn's architec...
From a monolith to microservices + REST: The evolution of LinkedIn's architec...
 
Swarm: Native Docker Clustering
Swarm: Native Docker ClusteringSwarm: Native Docker Clustering
Swarm: Native Docker Clustering
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
 
Processing TeraBytes of data every day and sleeping at night
Processing TeraBytes of data every day and sleeping at nightProcessing TeraBytes of data every day and sleeping at night
Processing TeraBytes of data every day and sleeping at night
 
Observability in Java: Getting Started with OpenTelemetry
Observability in Java: Getting Started with OpenTelemetryObservability in Java: Getting Started with OpenTelemetry
Observability in Java: Getting Started with OpenTelemetry
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCP
 
Exploiting IAM in GCP
Exploiting IAM in GCPExploiting IAM in GCP
Exploiting IAM in GCP
 

Plus de Kamesh Pemmaraju

OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridKamesh Pemmaraju
 
Mirantis OpenStack and Cumulus Linux Webinar
Mirantis OpenStack and Cumulus Linux WebinarMirantis OpenStack and Cumulus Linux Webinar
Mirantis OpenStack and Cumulus Linux WebinarKamesh Pemmaraju
 
Designing OpenStack Architectures
Designing OpenStack ArchitecturesDesigning OpenStack Architectures
Designing OpenStack ArchitecturesKamesh Pemmaraju
 
Open stack icehouse microsoftupdate
Open stack icehouse microsoftupdateOpen stack icehouse microsoftupdate
Open stack icehouse microsoftupdateKamesh Pemmaraju
 
New Ceph capabilities and Reference Architectures
New Ceph capabilities and Reference ArchitecturesNew Ceph capabilities and Reference Architectures
New Ceph capabilities and Reference ArchitecturesKamesh Pemmaraju
 
OpenStack and Ceph case study at the University of Alabama
OpenStack and Ceph case study at the University of AlabamaOpenStack and Ceph case study at the University of Alabama
OpenStack and Ceph case study at the University of AlabamaKamesh Pemmaraju
 
High Availability for OpenStack
High Availability for OpenStackHigh Availability for OpenStack
High Availability for OpenStackKamesh Pemmaraju
 
Dell openstack cloud with inktank ceph – large scale customer deployment
Dell openstack cloud with inktank ceph – large scale customer deploymentDell openstack cloud with inktank ceph – large scale customer deployment
Dell openstack cloud with inktank ceph – large scale customer deploymentKamesh Pemmaraju
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havanaKamesh Pemmaraju
 
Postgres Plus Cloud Database on OpenStack
Postgres Plus Cloud Database on OpenStackPostgres Plus Cloud Database on OpenStack
Postgres Plus Cloud Database on OpenStackKamesh Pemmaraju
 
Massachusetts Open Cloud Initiative
Massachusetts Open Cloud InitiativeMassachusetts Open Cloud Initiative
Massachusetts Open Cloud InitiativeKamesh Pemmaraju
 
Dell SUSE Cloud Solution, Powered by OpenStack
Dell SUSE Cloud Solution, Powered by OpenStackDell SUSE Cloud Solution, Powered by OpenStack
Dell SUSE Cloud Solution, Powered by OpenStackKamesh Pemmaraju
 
Docker and OpenStack Boston Meetup
Docker and OpenStack Boston MeetupDocker and OpenStack Boston Meetup
Docker and OpenStack Boston MeetupKamesh Pemmaraju
 
Ceph and openstack at the boston meetup
Ceph and openstack at the boston meetupCeph and openstack at the boston meetup
Ceph and openstack at the boston meetupKamesh Pemmaraju
 
Solving Business Challenges with OpenStack
Solving Business Challenges with OpenStackSolving Business Challenges with OpenStack
Solving Business Challenges with OpenStackKamesh Pemmaraju
 
Software Defined Networking
Software Defined Networking Software Defined Networking
Software Defined Networking Kamesh Pemmaraju
 
Wicked Easy Ceph Block Storage & OpenStack Deployment with Crowbar
Wicked Easy Ceph Block Storage & OpenStack Deployment with CrowbarWicked Easy Ceph Block Storage & OpenStack Deployment with Crowbar
Wicked Easy Ceph Block Storage & OpenStack Deployment with CrowbarKamesh Pemmaraju
 

Plus de Kamesh Pemmaraju (20)

kamesh Videos
kamesh Videoskamesh Videos
kamesh Videos
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgrid
 
Mirantis OpenStack and Cumulus Linux Webinar
Mirantis OpenStack and Cumulus Linux WebinarMirantis OpenStack and Cumulus Linux Webinar
Mirantis OpenStack and Cumulus Linux Webinar
 
Designing OpenStack Architectures
Designing OpenStack ArchitecturesDesigning OpenStack Architectures
Designing OpenStack Architectures
 
Open stack icehouse microsoftupdate
Open stack icehouse microsoftupdateOpen stack icehouse microsoftupdate
Open stack icehouse microsoftupdate
 
New Ceph capabilities and Reference Architectures
New Ceph capabilities and Reference ArchitecturesNew Ceph capabilities and Reference Architectures
New Ceph capabilities and Reference Architectures
 
OpenStack and Ceph case study at the University of Alabama
OpenStack and Ceph case study at the University of AlabamaOpenStack and Ceph case study at the University of Alabama
OpenStack and Ceph case study at the University of Alabama
 
High Availability for OpenStack
High Availability for OpenStackHigh Availability for OpenStack
High Availability for OpenStack
 
OpenStack 101 update
OpenStack 101 updateOpenStack 101 update
OpenStack 101 update
 
Dell openstack cloud with inktank ceph – large scale customer deployment
Dell openstack cloud with inktank ceph – large scale customer deploymentDell openstack cloud with inktank ceph – large scale customer deployment
Dell openstack cloud with inktank ceph – large scale customer deployment
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havana
 
Postgres Plus Cloud Database on OpenStack
Postgres Plus Cloud Database on OpenStackPostgres Plus Cloud Database on OpenStack
Postgres Plus Cloud Database on OpenStack
 
Massachusetts Open Cloud Initiative
Massachusetts Open Cloud InitiativeMassachusetts Open Cloud Initiative
Massachusetts Open Cloud Initiative
 
Dell SUSE Cloud Solution, Powered by OpenStack
Dell SUSE Cloud Solution, Powered by OpenStackDell SUSE Cloud Solution, Powered by OpenStack
Dell SUSE Cloud Solution, Powered by OpenStack
 
Docker and OpenStack Boston Meetup
Docker and OpenStack Boston MeetupDocker and OpenStack Boston Meetup
Docker and OpenStack Boston Meetup
 
Ceph and openstack at the boston meetup
Ceph and openstack at the boston meetupCeph and openstack at the boston meetup
Ceph and openstack at the boston meetup
 
Solving Business Challenges with OpenStack
Solving Business Challenges with OpenStackSolving Business Challenges with OpenStack
Solving Business Challenges with OpenStack
 
Software Defined Networking
Software Defined Networking Software Defined Networking
Software Defined Networking
 
Open stack qa and tempest
Open stack qa and tempestOpen stack qa and tempest
Open stack qa and tempest
 
Wicked Easy Ceph Block Storage & OpenStack Deployment with Crowbar
Wicked Easy Ceph Block Storage & OpenStack Deployment with CrowbarWicked Easy Ceph Block Storage & OpenStack Deployment with Crowbar
Wicked Easy Ceph Block Storage & OpenStack Deployment with Crowbar
 

Dernier

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

Openstack Keystone Deep Dive & Coming Attractions

  • 1. Openstack Keystone: Deep Dive & Coming Attractions Adam Young Senior Software Engineer, Cloud Red Hat July 24th, 2012 1 Presenter: Adam Young
  • 2. Agenda ● Overview ● Code Layout ● Tokens ● Folsom Blueprints 2 Presenter: Adam Young
  • 3. Openstack Overview 3 Presenter: Adam Young
  • 4. Keystone: Identity Management Server 4 Presenter: Adam Young
  • 5. Keystone Domain Model 5 Presenter: Adam Young
  • 6. Code Layout 6 Presenter: Adam Young
  • 7. WSGI Mapping 7 Presenter: Adam Young
  • 8. Contrib ● Authorization Mechanism ● EC2 -> Token ● S3 -> Token ● Swift ● CRUD ● Admin ● Services ● Endpoints ● Roles ● User: ● Change Password 8 Presenter: Adam Young
  • 9. Persistence Backends ● KVS: Key Value Store ● In Memory ● Memcached ● SQL ● SQLite and MySQL ● PostGRES WIP ● LDAP ● Identity only ● Start for Active Directory 9 Presenter: Adam Young
  • 10. Tokens ● UUID ● Stored in DB ● Verified Online ● Shared Secret 10 Presenter: Adam Young
  • 11. Token: Request 11 Presenter: Adam Young
  • 12. Token: Authenticated 12 Presenter: Adam Young
  • 13. Token:Request for Service 13 Presenter: Adam Young
  • 14. Token: Verification 14 Presenter: Adam Young
  • 15. Token:Verified 15 Presenter: Adam Young
  • 16. Token: Response from Service 16 Presenter: Adam Young
  • 17. Auth Token Middleware 17 Presenter: Adam Young
  • 18. EC2 Token Middleware 18 Presenter: Adam Young
  • 19. Tokens: Pros and Cons ● Pros ● Instantly Revocable ● Small (ish) ● Cons ● Needs network to verify ● Keystone becomes chokepoint ● Is UUID Random Chattiest Part of Openstack 19 Presenter: Adam Young
  • 20. Folsom Blueprints 20 Presenter: Adam Young
  • 21. Keystone API V3 ● Emphasize URLS: fully Qualified Resource Location ● Rename Tenants back to Projects ● Clear associations between projects, users and credentials ● Policy implementation specific API ● Many Aspects Deferred ● Priority for Grizzly 21 Presenter: Adam Young
  • 22. PKIS Signed Tokens: Implementation ● Cryptographically Signed Text ● Crypto Message Syntax (SMIME) ● Contents of “Verify” ● Signed with Keystone Private Key ● Verified using ● OpenSSL ● Public Certificate ● Can also be verified using HTTP 22 Presenter: Adam Young
  • 23. PKI Signed Tokens: Crypto Commands ● Sign openssl cms -sign -in auth_token.json -nosmimecap -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts -noattr -out auth_token.signed ● Verify openssl cms -verify -in auth_token.signed -certfile cert.pem -out signedtext.txt -CAfile cacert.pem -inform DER 23 Presenter: Adam Young
  • 24. Token: Online Verification 24 Presenter: Adam Young
  • 25. Token: Offline Verification 25 Presenter: Adam Young
  • 26. Domains: ● ayoung@stoughton Vs ayoung@canton ● Currently One implicit domain ● Grant access from one domain to a ten^H^H^H project in another domain ● Finer grained administration ● True Multiple Tenancy 26 Presenter: Adam Young
  • 27. Policy/Role Based Access Control ● Replace “isAdmin” ● Currently in Nova ● Belongs in Keystone ● Register for service: ● Roles ● Capabilities ● Multiple Tenants and Roles ● Policy is in Keystone ● Enforcement is on the shoulders of Glance, Nova etc 27 Presenter: Adam Young
  • 28. Links http://keystone.openstack.org/ https://blueprints.launchpad.net/keystone/ https://docs.google.com/document/d/1VP-bTBbwsn6q- rDzuS9CEKb2ubE1VjbWRFd4BkkjoOY/edit 28 Presenter: Adam Young
  • 29. Image Attrbibutions ● http://www.flickr.com/photos/jronaldlee/5216040554/lightbox/ ● http://th07.deviantart.net/fs70/PRE/i/2010/098/7/2/Robot_Blueprints_01_by_jordanoth.jpg ● http://followinglesley.files.wordpress.com/2011/03/fake-ttc-tokens.jpg ● http://commons.wikimedia.org/wiki/File:Scroll_Bridge_Keystone_-_geograph.org.uk_-_1299995.jpg ● http://commons.wikimedia.org/wiki/File:Keystone_Grange_of_Barry_bridge_-_geograph.org.uk_-_395082.jpg ● http://xkcd.com/378/ ● http://fc00.deviantart.net/fs51/f/2009/322/1/7/signed__sealed____by_kat013.jpg ● http://th01.deviantart.net/fs71/PRE/f/2012/090/2/a/alnwick_castle_by_newcastlemale-d4uie0a.jpg ● http://3.bp.blogspot.com/_V4w18ZWaPas/TN3LvAzfGEI/AAAAAAAAG_Y/YgnCvp9Na08/s1600/Fake-TTC-Tokens.jpg ● http://en.wikipedia.org/wiki/File:Doorman.JPG 29 Presenter: Adam Young