SlideShare a Scribd company logo

Keystone deep dive 1

J
Jsonr4

Indian OpenStack User Group - June openstack meetup Keystone Deep Dive

Technology
1 of 25
Download to read offline
Openstack Keystone - Deep Dive Indian OpenStack User Group - Meetup Jaison Raju Senior Technical Support Engineer 18/06/17
Agenda ● Introduction to Identity Service ● Openstack Keystone Concepts ● Configuration ● Demo 1 ● Integration with IPA/ldap backend ● Demo 2
Introduction to Identity Service
Introduction to Identity Service
Openstack Keystone Concepts
Introduction to Identity Service
Keystone Concepts Actor (User and groups) Credentials Token Roles - Unique within domain Project - Unique within domain Domain Service Endpoints Region Catalog Assignment Policy
Services in keystone
Endpoint for each Service
Multi-Site deployment using Regions Region1 Region2
Authentication & Authorization
Openstack Keystone Architecture.
Configuration
Configuration file (keystone.conf) /etc/keystone/keystone.conf ● [DEFAULT] - General configuration ● [assignment] - Assignment system driver configuration ● [auth] - Authentication plugin configuration ● [cache] - Caching layer configuration ● [catalog] - Service catalog driver configuration ● [credential] - Credential system driver configuration ● [domain_config] - Domain configuration ● [endpoint_filter] - Endpoint filtering configuration ● [endpoint_policy] - Endpoint policy configuration ● [federation] - Federation driver configuration ● [fernet_tokens] - Fernet token configuration ● [identity] - Identity system driver configuration ● [identity_mapping] - Identity mapping system driver configuration ● [ldap] - LDAP configuration options
Configuration file (keystone.conf) /etc/keystone/keystone.conf ● [memcache] - Memcache configuration options ● [oauth1] - OAuth 1.0a system driver configuration ● [paste_deploy] - Pointer to the PasteDeploy configuration file ● [policy] - Policy system driver configuration for RBAC ● [resource] - Resource system driver configuration ● [revoke] - Revocation system driver configuration ● [role] - Role system driver configuration ● [saml] - SAML configuration options ● [security_compliance] - Security compliance configuration ● [shadow_users] - Shadow user configuration ● [signing] - Cryptographic signatures for PKI based tokens ● [token] - Token driver & token provider configuration ● [tokenless_auth] - Tokenless authentication configuration ● [trust] - Trust configuration
Demo 1
Demo1 ● Prepare devstack environment ● Create ○ User ○ Project ○ Domain ○ Role ○ Group ● Test authentication ● Test authorization
Integration with IPA / ldap backend
LDAP Integration for Identity ● # setsebool -P authlogin_nsswitch_use_ldap on ● Configure keystone.conf for multiple backends: ● Define the destination LDAP server in the /etc/keystone/keystone.conf file: [ldap] url = ldaps://ipa.india-1.local user = uid=svc-ldap,cn=users,cn=accounts,dc=india-1,dc=local user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=india-1,dc=local) password = <RedactedComplexPassword> user_tree_dn = cn=users,cn=accounts,dc=india-1,dc=local user_objectclass = inetUser user_id_attribute = uid user_name_attribute = uid user_mail_attribute = mail user_pass_attribute = user_allow_create = False user_allow_update = False user_allow_delete = False tls_cacertfile = /etc/ssl/certs/ca.crt group_tree_dn = ou=Groups,dc=india-1,dc=local group_objectclass = groupOfNames [identity] driver = keystone.identity.backends.ldap.Identity" [identity] domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains ● Configure LDAP server in the /etc/keystone/domains/keystone.<domain>.conf
Demo 2
Demo2 ● Create IPA container . ● Create required users / groups . ● Configure keystone to use ldap backend for identity for a specific domain. ● Test environment . docker run --privileged --net=bridge -v /var/lib/ipa-data:/data/ipa1/ipa-data -v /var/log:/data/ipa1/ipa-logs -v /sys/fs/cgroup:/sys/fs/cgroup:ro -h ipa.india-1.local --tmpfs /run --tmpfs /tmp -e IPA_SERVER_IP=172.17.0.1 -p 172.17.0.1:53:53/udp -p 172.17.0.1:53:53 -p 172.17.0.1:80:80 -p 172.17.0.1:443:443 -p 172.17.0.1:389:389 -p 172.17.0.1:636:636 -p 172.17.0.1:88:88 -p 172.17.0.1:464:464 -p 172.17.0.1:88:88/udp -p 172.17.0.1:464:464/udp -p 172.17.0.1:123:123/udp -p 172.17.0.1:7389:7389 -p 172.17.0.1:9443:9443 -p 172.17.0.1:9444:9444 -p 172.17.0.1:9445:9445 --name ipa-test -it ad085031fb10 ipa-server-install --realm=india-1.local --ds-password=redhat@123 --admin-password=redhat@321 --setup-dns --no-forwarders --no-host-dns --auto-reverse --allow-zone-overlap --no-dnssec-validation --debug -U
References ● Openstack developer page - https://docs.openstack.org/developer/keystone ● Openstack admin guide - https://docs.openstack.org/admin-guide/identity-management.html ● DevStack installation guide - https://docs.openstack.org/developer/devstack/guides/single-machine.html ● DevStack configuration guide - https://docs.openstack.org/developer/devstack/configuration.html
Getting involved ● IRC: Freenode@openstack-keystone ● Mailing list: openstack-dev@lists.openstack.org ● Keystone Project Page on Launchpad: https://launchpad.net/keystone ● Keystone Source Repository: https://git.openstack.org/cgit/openstack/keystone
THANK YOU google.com/+jasonraju https://www.linkedin.com/in/jaison-r aju-8518a045/ youtube.com/user/RedHatVideos @jsonr4 IRC jaison@Red hat, links@Freenode jraju@redhat.com
THANK YOU plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews

Recommended

OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directorycjellick
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 

Recommended

OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directorycjellick
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 
OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glanceopenstackstl
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation openstackindia
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone Kamesh Pemmaraju
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsMatthew Barker
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5rajdeep
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineeredopenstackindia
 
Openstack nova
Openstack novaOpenstack nova
Openstack novaMurali Boyapati
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-novaGHANSHYAM MANN
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
8 devstack beyond_hello-world
8 devstack beyond_hello-world8 devstack beyond_hello-world
8 devstack beyond_hello-worldopenstackindia
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Stephen Gordon
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGIMike Pittaro
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6WSO2
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 

More Related Content

What's hot

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsMatthew Barker
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5rajdeep
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineeredopenstackindia
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-novaGHANSHYAM MANN
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
8 devstack beyond_hello-world
8 devstack beyond_hello-world8 devstack beyond_hello-world
8 devstack beyond_hello-worldopenstackindia
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Stephen Gordon
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGIMike Pittaro
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 

What's hot (20)

OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glance
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - Highlights
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineered
 
Openstack nova
Openstack novaOpenstack nova
Openstack nova
 
Open Stack compute-service-nova
Open Stack compute-service-novaOpen Stack compute-service-nova
Open Stack compute-service-nova
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
8 devstack beyond_hello-world
8 devstack beyond_hello-world8 devstack beyond_hello-world
8 devstack beyond_hello-world
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGI
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 

Similar to Keystone deep dive 1

What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6WSO2
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
Introduction to SQL Server on RHEL
Introduction to SQL Server on RHELIntroduction to SQL Server on RHEL
Introduction to SQL Server on RHELTakayoshi Tanaka
 
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)DECK36
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015Dave Stokes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsCloud Native Day Tel Aviv
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01SANE Ibrahima
 
What's new in Docker - InfraKit - Docker Meetup Berlin 2016
What's new in Docker - InfraKit - Docker Meetup Berlin 2016What's new in Docker - InfraKit - Docker Meetup Berlin 2016
What's new in Docker - InfraKit - Docker Meetup Berlin 2016Patrick Chanezon
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastJorge Lopez-Malla
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Craft CMS: Beyond the Small Business; Advanced tools and configurations
Craft CMS: Beyond the Small Business; Advanced tools and configurationsCraft CMS: Beyond the Small Business; Advanced tools and configurations
Craft CMS: Beyond the Small Business; Advanced tools and configurationsNate Iler
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator97148881557
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive Smita Raut
 
Sprint 45 review
Sprint 45 reviewSprint 45 review
Sprint 45 reviewManageIQ
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetesGigi Sayfan
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into RudderRUDDER
 
PaaSTA: Autoscaling at Yelp
PaaSTA: Autoscaling at YelpPaaSTA: Autoscaling at Yelp
PaaSTA: Autoscaling at YelpNathan Handler
 

Similar to Keystone deep dive 1 (20)

What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
Introduction to SQL Server on RHEL
Introduction to SQL Server on RHELIntroduction to SQL Server on RHEL
Introduction to SQL Server on RHEL
 
Cl212
Cl212Cl212
Cl212
 
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
Our Puppet Story – Patterns and Learnings (sage@guug, March 2014)
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
 
Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
What's new in Docker - InfraKit - Docker Meetup Berlin 2016
What's new in Docker - InfraKit - Docker Meetup Berlin 2016What's new in Docker - InfraKit - Docker Meetup Berlin 2016
What's new in Docker - InfraKit - Docker Meetup Berlin 2016
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Craft CMS: Beyond the Small Business; Advanced tools and configurations
Craft CMS: Beyond the Small Business; Advanced tools and configurationsCraft CMS: Beyond the Small Business; Advanced tools and configurations
Craft CMS: Beyond the Small Business; Advanced tools and configurations
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
 
Sprint 45 review
Sprint 45 reviewSprint 45 review
Sprint 45 review
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into Rudder
 
PaaSTA: Autoscaling at Yelp
PaaSTA: Autoscaling at YelpPaaSTA: Autoscaling at Yelp
PaaSTA: Autoscaling at Yelp
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Keystone deep dive 1

  • 1. Openstack Keystone - Deep Dive Indian OpenStack User Group - Meetup Jaison Raju Senior Technical Support Engineer 18/06/17
  • 2. Agenda ● Introduction to Identity Service ● Openstack Keystone Concepts ● Configuration ● Demo 1 ● Integration with IPA/ldap backend ● Demo 2
  • 7. Keystone Concepts Actor (User and groups) Credentials Token Roles - Unique within domain Project - Unique within domain Domain Service Endpoints Region Catalog Assignment Policy
  • 10. Multi-Site deployment using Regions Region1 Region2
  • 14. Configuration file (keystone.conf) /etc/keystone/keystone.conf ● [DEFAULT] - General configuration ● [assignment] - Assignment system driver configuration ● [auth] - Authentication plugin configuration ● [cache] - Caching layer configuration ● [catalog] - Service catalog driver configuration ● [credential] - Credential system driver configuration ● [domain_config] - Domain configuration ● [endpoint_filter] - Endpoint filtering configuration ● [endpoint_policy] - Endpoint policy configuration ● [federation] - Federation driver configuration ● [fernet_tokens] - Fernet token configuration ● [identity] - Identity system driver configuration ● [identity_mapping] - Identity mapping system driver configuration ● [ldap] - LDAP configuration options
  • 15. Configuration file (keystone.conf) /etc/keystone/keystone.conf ● [memcache] - Memcache configuration options ● [oauth1] - OAuth 1.0a system driver configuration ● [paste_deploy] - Pointer to the PasteDeploy configuration file ● [policy] - Policy system driver configuration for RBAC ● [resource] - Resource system driver configuration ● [revoke] - Revocation system driver configuration ● [role] - Role system driver configuration ● [saml] - SAML configuration options ● [security_compliance] - Security compliance configuration ● [shadow_users] - Shadow user configuration ● [signing] - Cryptographic signatures for PKI based tokens ● [token] - Token driver & token provider configuration ● [tokenless_auth] - Tokenless authentication configuration ● [trust] - Trust configuration
  • 17. Demo1 ● Prepare devstack environment ● Create ○ User ○ Project ○ Domain ○ Role ○ Group ● Test authentication ● Test authorization
  • 18. Integration with IPA / ldap backend
  • 19. LDAP Integration for Identity ● # setsebool -P authlogin_nsswitch_use_ldap on ● Configure keystone.conf for multiple backends: ● Define the destination LDAP server in the /etc/keystone/keystone.conf file: [ldap] url = ldaps://ipa.india-1.local user = uid=svc-ldap,cn=users,cn=accounts,dc=india-1,dc=local user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=india-1,dc=local) password = <RedactedComplexPassword> user_tree_dn = cn=users,cn=accounts,dc=india-1,dc=local user_objectclass = inetUser user_id_attribute = uid user_name_attribute = uid user_mail_attribute = mail user_pass_attribute = user_allow_create = False user_allow_update = False user_allow_delete = False tls_cacertfile = /etc/ssl/certs/ca.crt group_tree_dn = ou=Groups,dc=india-1,dc=local group_objectclass = groupOfNames [identity] driver = keystone.identity.backends.ldap.Identity" [identity] domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains ● Configure LDAP server in the /etc/keystone/domains/keystone.<domain>.conf
  • 21. Demo2 ● Create IPA container . ● Create required users / groups . ● Configure keystone to use ldap backend for identity for a specific domain. ● Test environment . docker run --privileged --net=bridge -v /var/lib/ipa-data:/data/ipa1/ipa-data -v /var/log:/data/ipa1/ipa-logs -v /sys/fs/cgroup:/sys/fs/cgroup:ro -h ipa.india-1.local --tmpfs /run --tmpfs /tmp -e IPA_SERVER_IP=172.17.0.1 -p 172.17.0.1:53:53/udp -p 172.17.0.1:53:53 -p 172.17.0.1:80:80 -p 172.17.0.1:443:443 -p 172.17.0.1:389:389 -p 172.17.0.1:636:636 -p 172.17.0.1:88:88 -p 172.17.0.1:464:464 -p 172.17.0.1:88:88/udp -p 172.17.0.1:464:464/udp -p 172.17.0.1:123:123/udp -p 172.17.0.1:7389:7389 -p 172.17.0.1:9443:9443 -p 172.17.0.1:9444:9444 -p 172.17.0.1:9445:9445 --name ipa-test -it ad085031fb10 ipa-server-install --realm=india-1.local --ds-password=redhat@123 --admin-password=redhat@321 --setup-dns --no-forwarders --no-host-dns --auto-reverse --allow-zone-overlap --no-dnssec-validation --debug -U
  • 22. References ● Openstack developer page - https://docs.openstack.org/developer/keystone ● Openstack admin guide - https://docs.openstack.org/admin-guide/identity-management.html ● DevStack installation guide - https://docs.openstack.org/developer/devstack/guides/single-machine.html ● DevStack configuration guide - https://docs.openstack.org/developer/devstack/configuration.html
  • 23. Getting involved ● IRC: Freenode@openstack-keystone ● Mailing list: openstack-dev@lists.openstack.org ● Keystone Project Page on Launchpad: https://launchpad.net/keystone ● Keystone Source Repository: https://git.openstack.org/cgit/openstack/keystone