Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
One Keystone To Rule Them All
Priti Desai
OpenStack Evangelista
One Keystone To Rule Them All
One Keystone To Rule Them All
How to configure Keystone in
multiple OpenStack clouds?
What are the Keystone core concepts?...
One Keystone To Rule Them All
One Keystone To Rule Them All
ComputeImage
Horizon
Neutron
Barbican
Ceilometer
Designat
e
Swift
User Management
One Keystone To Rule Them All
One Keystone To Rule Them All
User
curl -s POST https://keystone.com/v3/users
{
"user": {
"name": ”john_smith",
"password"...
One Keystone To Rule Them All
Domain
&
Projects
curl -s POST https://keystone.com/v3/domains
{
”domain": {
"name": ”domain...
One Keystone To Rule Them All
Roles
curl -s POST https://keystone.com/v3/roles
{
”role": {
"name": ”admin”
}
}
One Keystone To Rule Them All
curl -s PUT https://keystone.com/v3/domains/domain-A/users/john_smith/roles/admin
curl -s PU...
One Keystone To Rule Them All
Token
curl -s POST https://keystone.com/v3/auth/tokens
{
"auth": {
"identity": {
"methods": ...
Service Management
One Keystone To Rule Them All
One Keystone To Rule Them All
Service
curl -s POST https://keystone.com/v3/services
{
”service": {
”type": ”identity”
}
}
One Keystone To Rule Them All
Regions
curl -s POST https://keystone.com/v3/regions
{
”region": {
”id": ”uswest”
}
}
One Keystone To Rule Them All
Endpoints
curl -s POST https://keystone.com/v3/endpoints
{
"endpoint": {
"interface": "[admi...
Keystone Architecture Overview
One Keystone To Rule Them All
One Keystone To Rule Them All
1 2 3
✔ ✔
✔
AuthN/AuthZ Workflow
One Keystone To Rule Them All
One Keystone To Rule Them All
1
Token
Generation
2 3
4
Image
5
VM
Creation
6
Token
Verification
Token
Verification
One Keystone To Rule Them All
Now, we have Identity in US-WEST. Should
we utilize the same Identity service in US-
EAST?Wh...
Keystone To Keystone Federation
One Keystone To Rule Them All
One Keystone To Rule Them All
One Keystone To Rule Them All
Keystone To Keystone Federation
• Pros
– No new Identity
• Cons
– Single Point of Failure
– Lack of Uniform Workflow
One K...
Identity in US-EAST
One Keystone To Rule Them All
One Keystone To Rule Them All
Identity in US-EAST
• Pros
– Highly Available
• Cons
– Need Access to Identity (Users and Groups)
– SQL Latency
– Re-Authe...
Global Identity across
US-WEST & US-EAST
One Keystone To Rule Them All
One Keystone To Rule Them All
Global Identity
• Pros
– Highly Available
– Global authentication across US-WEST and US-EAST
• Cons
– Token Size
– Orchest...
Endpoint Grouping
• Dynamic Endpoint Attribute Filtering
• Endpoint Properties:
– interface
– service_id
– region_id
– Ena...
Endpoint Grouping – Regional Grouping
POST /OS-EP-FILTER/endpoint_groups
{
"endpoint_group": {
"description": "Creating a ...
Endpoint Grouping – Service Grouping
POST /OS-EP-FILTER/endpoint_groups
{
"endpoint_group": {
"description": "Creating a g...
Endpoint Grouping – OpenStack Services
POST /OS-EP-FILTER/endpoint_groups
{
"endpoint_group": {
"description": "Creating a...
Endpoint Grouping
• Pros
– Significantly Reduces the Token Size
• Cons
– Project Provisioning Workflow
One Keystone To Rul...
Domain Specific Drivers - Juno
One Keystone To Rule Them All
Restart Identity Service
Domain Specific Drivers - Kilo
PATCH $OS_URL/domains/$DOMAIN_ID/config -H "X-Auth-Token: $OS_TOKEN"
-H "Content-type: appl...
Domain Specific Drivers – Kilo
{
"config": {
"identity": {
"driver": "keystone.identity.backends.ldap.Identity"
},
"ldap":...
One Keystone To Rule Them All
Q&A
Let’s talk…
One Keystone To Rule Them All
Thank You
Priti Desai
Priti_Desai@symantec.com
@pritidesai8
References
• Introduction:
– http://www.titanui.com/wp-content/uploads/2014/12/26/Crayon-Drawing-Love-Heart-Vector.jpg
• K...
Vous avez terminé ce document.
Télécharger et lire hors ligne.
Prochain SlideShare
OpenStack keystone identity service
Suivant
Prochain SlideShare
OpenStack keystone identity service
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

Partager

One Keystone to Rule Them All

Télécharger pour lire hors ligne

Traditionally, the focus has been on configuring and deploying Keystone in single cloud / single data center. The enterprise clouds are generally spread across multiple data centers. What happens to authentication and authorization platform across multiple data centers? How do users from one data center access resources in 10 other data centers?

At Symantec, we have solved many of these authentication and authorization issues across multiple data center with a single Keystone deployment. We would like to share some of the challenges and focus on:

Architecture overview
Keystone backends
How out-of-the-box Keystone addresses common use cases across multi data centers?
Certain Keystone features and their deployment
Domain Specific Drivers
Multi Attribute Endpoint Grouping

One Keystone to Rule Them All

  1. 1. One Keystone To Rule Them All Priti Desai OpenStack Evangelista One Keystone To Rule Them All
  2. 2. One Keystone To Rule Them All How to configure Keystone in multiple OpenStack clouds? What are the Keystone core concepts? How is Keystone architected in single OpenStack cloud? What is our keystone architecture in multiple data centers? What kind of challenges did we come across and how did we address them ?
  3. 3. One Keystone To Rule Them All
  4. 4. One Keystone To Rule Them All ComputeImage Horizon Neutron Barbican Ceilometer Designat e Swift
  5. 5. User Management One Keystone To Rule Them All
  6. 6. One Keystone To Rule Them All User curl -s POST https://keystone.com/v3/users { "user": { "name": ”john_smith", "password": “password”, "domain_id": "1adafaf" } }
  7. 7. One Keystone To Rule Them All Domain & Projects curl -s POST https://keystone.com/v3/domains { ”domain": { "name": ”domain-A” } } curl -s POST https://keystone.com/v3/projects { ”project": { "name": ”project-1”, “domain”: “domain-A” } }
  8. 8. One Keystone To Rule Them All Roles curl -s POST https://keystone.com/v3/roles { ”role": { "name": ”admin” } }
  9. 9. One Keystone To Rule Them All curl -s PUT https://keystone.com/v3/domains/domain-A/users/john_smith/roles/admin curl -s PUT https://keystone.com/v3/projects/project-A/users/john_smith/roles/admin
  10. 10. One Keystone To Rule Them All Token curl -s POST https://keystone.com/v3/auth/tokens { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { “domain”: { “name”: “domain-A” }, ”name": ”john_smith", "password": "secretsecret" } } } } }
  11. 11. Service Management One Keystone To Rule Them All
  12. 12. One Keystone To Rule Them All Service curl -s POST https://keystone.com/v3/services { ”service": { ”type": ”identity” } }
  13. 13. One Keystone To Rule Them All Regions curl -s POST https://keystone.com/v3/regions { ”region": { ”id": ”uswest” } }
  14. 14. One Keystone To Rule Them All Endpoints curl -s POST https://keystone.com/v3/endpoints { "endpoint": { "interface": "[admin|public|internal]", "name": ”identity admin url", “region”: “uswest”, "url": ”https://keystone.com", "service_id": ”identity" } }
  15. 15. Keystone Architecture Overview One Keystone To Rule Them All
  16. 16. One Keystone To Rule Them All 1 2 3 ✔ ✔ ✔
  17. 17. AuthN/AuthZ Workflow One Keystone To Rule Them All
  18. 18. One Keystone To Rule Them All 1 Token Generation 2 3 4 Image 5 VM Creation 6 Token Verification Token Verification
  19. 19. One Keystone To Rule Them All Now, we have Identity in US-WEST. Should we utilize the same Identity service in US- EAST?What is Federated Identity and how does it work across two data centers? Is it possible to deploy Global Identity Service?
  20. 20. Keystone To Keystone Federation One Keystone To Rule Them All
  21. 21. One Keystone To Rule Them All
  22. 22. One Keystone To Rule Them All
  23. 23. Keystone To Keystone Federation • Pros – No new Identity • Cons – Single Point of Failure – Lack of Uniform Workflow One Keystone To Rule Them All
  24. 24. Identity in US-EAST One Keystone To Rule Them All
  25. 25. One Keystone To Rule Them All
  26. 26. Identity in US-EAST • Pros – Highly Available • Cons – Need Access to Identity (Users and Groups) – SQL Latency – Re-Authentication One Keystone To Rule Them All
  27. 27. Global Identity across US-WEST & US-EAST One Keystone To Rule Them All
  28. 28. One Keystone To Rule Them All
  29. 29. Global Identity • Pros – Highly Available – Global authentication across US-WEST and US-EAST • Cons – Token Size – Orchestration – Domain Specific Driver One Keystone To Rule Them All
  30. 30. Endpoint Grouping • Dynamic Endpoint Attribute Filtering • Endpoint Properties: – interface – service_id – region_id – Enabled One Keystone To Rule Them All
  31. 31. Endpoint Grouping – Regional Grouping POST /OS-EP-FILTER/endpoint_groups { "endpoint_group": { "description": "Creating a group for US-WEST endpoints", "filters": { "region_id": ”us-west" }, "name": "EP-GROUP-US-WEST" } } One Keystone To Rule Them All
  32. 32. Endpoint Grouping – Service Grouping POST /OS-EP-FILTER/endpoint_groups { "endpoint_group": { "description": "Creating a group for external service endpoints", "filters": { ”service_id": ”1510ad" }, "name": "EP-GROUP-SERVICE" } } One Keystone To Rule Them All
  33. 33. Endpoint Grouping – OpenStack Services POST /OS-EP-FILTER/endpoint_groups { "endpoint_group": { "description": "Creating a group for OpenStack services in US-WEST", "filters": { ”service_id": ”1510ad” #Keystone ”service_id": ”2110fc” #Nova ”service_id": ”4210da” #Glance “region_id”: “us-west” }, "name": "EP-GROUP-OpenStack" } } One Keystone To Rule Them All
  34. 34. Endpoint Grouping • Pros – Significantly Reduces the Token Size • Cons – Project Provisioning Workflow One Keystone To Rule Them All
  35. 35. Domain Specific Drivers - Juno One Keystone To Rule Them All Restart Identity Service
  36. 36. Domain Specific Drivers - Kilo PATCH $OS_URL/domains/$DOMAIN_ID/config -H "X-Auth-Token: $OS_TOKEN" -H "Content-type: application/json" -d’@domain.json'| jq . One Keystone To Rule Them All
  37. 37. Domain Specific Drivers – Kilo { "config": { "identity": { "driver": "keystone.identity.backends.ldap.Identity" }, "ldap": { "url": "ldaps://symantec.com:636", "user_id_attribute": "uid", "user_tree_dn": “ou=Accounts,dc=openstack,dc=symantec,dc=com", "user_filter": "(memberOf=cn=DomainA,ou=OpenstackDomains,dc=openstack,dc=symantec,dc=com)”, "query_scope": "sub", … } } }One Keystone To Rule Them All
  38. 38. One Keystone To Rule Them All
  39. 39. Q&A Let’s talk… One Keystone To Rule Them All
  40. 40. Thank You Priti Desai Priti_Desai@symantec.com @pritidesai8
  41. 41. References • Introduction: – http://www.titanui.com/wp-content/uploads/2014/12/26/Crayon-Drawing-Love-Heart-Vector.jpg • Keystone Concepts: – http://icons.iconarchive.com/icons/icons-land/vista-people/256/Occupations-Bartender-Male-Light- icon.png – https://d30y9cdsu7xlg0.cloudfront.net/png/106464-200.png – https://cdn3.iconfinder.com/data/icons/interaction-design/512/Token_2-256.png – http://www.pcmadness.com.au/images/repair_icon.jpg – http://www.iconshock.com/img_jpg/BETA/networking/jpg/256/role_icon.jpg – https://www.websense.com/content/Assets/Images/master-database-globe.png • Federated Keystone – https://www.openstack.org/assets/presentation-media/os-federation-final.pdf One Keystone To Rule Them All
  • JasonTsai

    Dec. 2, 2015
  • PrashantK93

    Aug. 3, 2015

Traditionally, the focus has been on configuring and deploying Keystone in single cloud / single data center. The enterprise clouds are generally spread across multiple data centers. What happens to authentication and authorization platform across multiple data centers? How do users from one data center access resources in 10 other data centers? At Symantec, we have solved many of these authentication and authorization issues across multiple data center with a single Keystone deployment. We would like to share some of the challenges and focus on: Architecture overview Keystone backends How out-of-the-box Keystone addresses common use cases across multi data centers? Certain Keystone features and their deployment Domain Specific Drivers Multi Attribute Endpoint Grouping

Vues

Nombre de vues

2 424

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

48

Actions

Téléchargements

75

Partages

0

Commentaires

0

Mentions J'aime

2

×