Slides from eBay's talk at the OpenStack Summit in Tokyo (Oct 2015) - see https://openstacksummitoctober2015tokyo.sched.org/event/19e95f52289777de81fe04db92f4a082#.VjGHXq4rISQ for details.
7. IAMwithout actually managing users
Global, available, secure
Semi-trusted cloud
services
(in the control plane)
Untrusted cloud
users
8. Global Keystone
in a Trusted
Control Plane
Multi-factor
authentication
API Keys
API Extensions
9. LB VIP LB VIP LB VIP
Donor
…
DNS routing (affinity based) for DB
ks
LB VIP
ks… ks
LB VIP
ks… ks
LB VIP
ks…
DNS routing (affinity based) for Keystone service
Galera based replication of select tables
10. 10 new tokens/sec on average – peak at 100
tokens/sec
High write latencies (~400 msec)
Started with PKI, moved to PKIZ (60%
reduction)
13. Two Factor Authentication
A per-VPC policy
VPC is a property of a project
All projects in a given VPC share the policy
Entirely dynamic and configuration driven
17. POST /api_key
X-Auth-Token A valid auth token (header)
source_project_id An optional source project (defaults to
current)
expires-at An optional expiry
role_ids An optional subset of roles
group_ids An optional subset of groups
ip_addresses An optional subset of sources (default
to the project’s compute VPC)
18. Limited Authentication Boundary
Blocked if the caller source is not whitelisted
Blocked if used from a different VPC
Blocked if used from a different project