Traditionally, the focus has been on configuring and deploying Keystone in single cloud / single data center. The enterprise clouds are generally spread across multiple data centers. What happens to authentication and authorization platform across multiple data centers? How do users from one data center access resources in 10 other data centers?
At Symantec, we have solved many of these authentication and authorization issues across multiple data center with a single Keystone deployment. We would like to share some of the challenges and focus on:
Architecture overview
Keystone backends
How out-of-the-box Keystone addresses common use cases across multi data centers?
Certain Keystone features and their deployment
Domain Specific Drivers
Multi Attribute Endpoint Grouping
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
One Keystone to Rule Them All
1. One Keystone To Rule Them All
Priti Desai
OpenStack Evangelista
One Keystone To Rule Them All
2. One Keystone To Rule Them All
How to configure Keystone in
multiple OpenStack clouds?
What are the Keystone core concepts?
How is Keystone architected in single OpenStack cloud?
What is our keystone architecture in multiple data centers?
What kind of challenges did we come across and how did we
address them ?
6. One Keystone To Rule Them All
User
curl -s POST https://keystone.com/v3/users
{
"user": {
"name": ”john_smith",
"password": “password”,
"domain_id": "1adafaf"
}
}
7. One Keystone To Rule Them All
Domain
&
Projects
curl -s POST https://keystone.com/v3/domains
{
”domain": {
"name": ”domain-A”
}
}
curl -s POST https://keystone.com/v3/projects
{
”project": {
"name": ”project-1”,
“domain”: “domain-A”
}
}
8. One Keystone To Rule Them All
Roles
curl -s POST https://keystone.com/v3/roles
{
”role": {
"name": ”admin”
}
}
9. One Keystone To Rule Them All
curl -s PUT https://keystone.com/v3/domains/domain-A/users/john_smith/roles/admin
curl -s PUT https://keystone.com/v3/projects/project-A/users/john_smith/roles/admin
10. One Keystone To Rule Them All
Token
curl -s POST https://keystone.com/v3/auth/tokens
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
“domain”: {
“name”: “domain-A”
},
”name": ”john_smith",
"password": "secretsecret"
}
}
}
}
}
18. One Keystone To Rule Them All
1
Token
Generation
2 3
4
Image
5
VM
Creation
6
Token
Verification
Token
Verification
19. One Keystone To Rule Them All
Now, we have Identity in US-WEST. Should
we utilize the same Identity service in US-
EAST?What is Federated Identity and how does it work
across two data centers?
Is it possible to deploy Global Identity Service?
26. Identity in US-EAST
• Pros
– Highly Available
• Cons
– Need Access to Identity (Users and Groups)
– SQL Latency
– Re-Authentication
One Keystone To Rule Them All
29. Global Identity
• Pros
– Highly Available
– Global authentication across US-WEST and US-EAST
• Cons
– Token Size
– Orchestration – Domain Specific Driver
One Keystone To Rule Them All
30. Endpoint Grouping
• Dynamic Endpoint Attribute Filtering
• Endpoint Properties:
– interface
– service_id
– region_id
– Enabled
One Keystone To Rule Them All
31. Endpoint Grouping – Regional Grouping
POST /OS-EP-FILTER/endpoint_groups
{
"endpoint_group": {
"description": "Creating a group for US-WEST endpoints",
"filters": {
"region_id": ”us-west"
},
"name": "EP-GROUP-US-WEST"
}
}
One Keystone To Rule Them All
32. Endpoint Grouping – Service Grouping
POST /OS-EP-FILTER/endpoint_groups
{
"endpoint_group": {
"description": "Creating a group for external service endpoints",
"filters": {
”service_id": ”1510ad"
},
"name": "EP-GROUP-SERVICE"
}
}
One Keystone To Rule Them All
33. Endpoint Grouping – OpenStack Services
POST /OS-EP-FILTER/endpoint_groups
{
"endpoint_group": {
"description": "Creating a group for OpenStack services in US-WEST",
"filters": {
”service_id": ”1510ad” #Keystone
”service_id": ”2110fc” #Nova
”service_id": ”4210da” #Glance
“region_id”: “us-west”
},
"name": "EP-GROUP-OpenStack"
}
}
One Keystone To Rule Them All
34. Endpoint Grouping
• Pros
– Significantly Reduces the Token Size
• Cons
– Project Provisioning Workflow
One Keystone To Rule Them All
36. Domain Specific Drivers - Kilo
PATCH $OS_URL/domains/$DOMAIN_ID/config -H "X-Auth-Token: $OS_TOKEN"
-H "Content-type: application/json" -d’@domain.json'| jq .
One Keystone To Rule Them All
37. Domain Specific Drivers – Kilo
{
"config": {
"identity": {
"driver": "keystone.identity.backends.ldap.Identity"
},
"ldap": {
"url": "ldaps://symantec.com:636",
"user_id_attribute": "uid",
"user_tree_dn": “ou=Accounts,dc=openstack,dc=symantec,dc=com",
"user_filter": "(memberOf=cn=DomainA,ou=OpenstackDomains,dc=openstack,dc=symantec,dc=com)”,
"query_scope": "sub",
…
}
}
}One Keystone To Rule Them All
41. References
• Introduction:
– http://www.titanui.com/wp-content/uploads/2014/12/26/Crayon-Drawing-Love-Heart-Vector.jpg
• Keystone Concepts:
– http://icons.iconarchive.com/icons/icons-land/vista-people/256/Occupations-Bartender-Male-Light-
icon.png
– https://d30y9cdsu7xlg0.cloudfront.net/png/106464-200.png
– https://cdn3.iconfinder.com/data/icons/interaction-design/512/Token_2-256.png
– http://www.pcmadness.com.au/images/repair_icon.jpg
– http://www.iconshock.com/img_jpg/BETA/networking/jpg/256/role_icon.jpg
– https://www.websense.com/content/Assets/Images/master-database-globe.png
• Federated Keystone
– https://www.openstack.org/assets/presentation-media/os-federation-final.pdf
One Keystone To Rule Them All
Notes de l'éditeur
Identity Service Supports User Management
One of the key component of user management is User
User could be a real user (a human being), or a service user.
User is associated with information such as user name, password, and which domain does this user belong to.
User management consists of project and domain.
Project is a tenant, group, a team within your organization.
Domain is a collection of projects and users.
Domain defines administrative boundaries for the projects and users.
Domain may represent a company in public cloud and organization in private cloud.
Role is an entity which defines a list of operations a user can perform in a given project/domain.
Users may be given a domain's administrator role. A domain administrator may create projects, users, and groups within a domain
and assign roles to users and groups.
Token is bearer token, which is valid for certain amount of time.
Token represents identity of any user, has all the information about that user including his roles in any project or domain.
Token is the most sensitive information, anybody possessing your token can act on your behalf without any further verification required.
Keystone supports Service Management.
It maintains a list of different types of services in entire openstack cloud.
Regions are generally geographically distributed areas.
Endpoints for each service in openstack cloud.
Each endpoint is associated with a service in keystone.
Each endpoint has an URL where the service is hosted and has different types of interface.
Three instances of keystone running on three different boxes
All of these instances are running behind load balancer.
Public endpoint and admin endpoint are hosted using VIP.
MySQL cluster behind load balancer – most of the user management pieces, Domains, Projects, Roles, Services and their endpoints, Service Accounts
LDAP instance behind load balancer – which maintains Users and Groups information, synced with corporate AD which is sitting outside of OpenStack cloud.
Memcache store storing all the authentication tokens
With Juno, Keystone offers Endpoint Grouping which introduces a dynamic endpoint attribute filtering capability that is directly associated with a project.
The underlying idea of Endpoint Grouping is to provide a key-value based filtering strategy that groups service endpoints having the same characteristics.
For example, endpoint grouping for Swift in US-WEST can be created with service=Swiftand region=US-WEST.
Service endpoints can be easily managed according to their characteristics which can act as filters. The filter used must be an endpoint property, such as interface, service_id, region_id and enabled. Note that if using interface as a filter, the only available values are public, internal and admin.
Service endpoints can belong to multiple groups which increases the level of granularity. For instance, endpoint groups limiting a certain service and limiting a certain region can be associated to a project to filter endpoints by that service and in that region.