One Keystone to Rule Them All
•Télécharger en tant que PPTX, PDF•
2 j'aime•2,425 vues
Traditionally, the focus has been on configuring and deploying Keystone in single cloud / single data center. The enterprise clouds are generally spread across multiple data centers. What happens to authentication and authorization platform across multiple data centers? How do users from one data center access resources in 10 other data centers? At Symantec, we have solved many of these authentication and authorization issues across multiple data center with a single Keystone deployment. We would like to share some of the challenges and focus on: Architecture overview Keystone backends How out-of-the-box Keystone addresses common use cases across multi data centers? Certain Keystone features and their deployment Domain Specific Drivers Multi Attribute Endpoint Grouping
Recommandé
Recommandé
Contenu connexe
Plus de Priti Desai
Dernier
Dernier (20)
One Keystone to Rule Them All
- 1. One Keystone To Rule Them All Priti Desai OpenStack Evangelista One Keystone To Rule Them All
- 2. One Keystone To Rule Them All How to configure Keystone in multiple OpenStack clouds? What are the Keystone core concepts? How is Keystone architected in single OpenStack cloud? What is our keystone architecture in multiple data centers? What kind of challenges did we come across and how did we address them ?
- 3. One Keystone To Rule Them All
- 4. One Keystone To Rule Them All ComputeImage Horizon Neutron Barbican Ceilometer Designat e Swift
- 5. User Management One Keystone To Rule Them All
- 6. One Keystone To Rule Them All User curl -s POST https://keystone.com/v3/users { "user": { "name": ”john_smith", "password": “password”, "domain_id": "1adafaf" } }
- 7. One Keystone To Rule Them All Domain & Projects curl -s POST https://keystone.com/v3/domains { ”domain": { "name": ”domain-A” } } curl -s POST https://keystone.com/v3/projects { ”project": { "name": ”project-1”, “domain”: “domain-A” } }
- 8. One Keystone To Rule Them All Roles curl -s POST https://keystone.com/v3/roles { ”role": { "name": ”admin” } }
- 9. One Keystone To Rule Them All curl -s PUT https://keystone.com/v3/domains/domain-A/users/john_smith/roles/admin curl -s PUT https://keystone.com/v3/projects/project-A/users/john_smith/roles/admin
- 10. One Keystone To Rule Them All Token curl -s POST https://keystone.com/v3/auth/tokens { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { “domain”: { “name”: “domain-A” }, ”name": ”john_smith", "password": "secretsecret" } } } } }
- 11. Service Management One Keystone To Rule Them All
- 12. One Keystone To Rule Them All Service curl -s POST https://keystone.com/v3/services { ”service": { ”type": ”identity” } }
- 13. One Keystone To Rule Them All Regions curl -s POST https://keystone.com/v3/regions { ”region": { ”id": ”uswest” } }
- 14. One Keystone To Rule Them All Endpoints curl -s POST https://keystone.com/v3/endpoints { "endpoint": { "interface": "[admin|public|internal]", "name": ”identity admin url", “region”: “uswest”, "url": ”https://keystone.com", "service_id": ”identity" } }
- 15. Keystone Architecture Overview One Keystone To Rule Them All
- 16. One Keystone To Rule Them All 1 2 3 ✔ ✔ ✔
- 17. AuthN/AuthZ Workflow One Keystone To Rule Them All
- 18. One Keystone To Rule Them All 1 Token Generation 2 3 4 Image 5 VM Creation 6 Token Verification Token Verification
- 19. One Keystone To Rule Them All Now, we have Identity in US-WEST. Should we utilize the same Identity service in US- EAST?What is Federated Identity and how does it work across two data centers? Is it possible to deploy Global Identity Service?
- 20. Keystone To Keystone Federation One Keystone To Rule Them All
- 21. One Keystone To Rule Them All
- 22. One Keystone To Rule Them All
- 23. Keystone To Keystone Federation • Pros – No new Identity • Cons – Single Point of Failure – Lack of Uniform Workflow One Keystone To Rule Them All
- 24. Identity in US-EAST One Keystone To Rule Them All
- 25. One Keystone To Rule Them All
- 26. Identity in US-EAST • Pros – Highly Available • Cons – Need Access to Identity (Users and Groups) – SQL Latency – Re-Authentication One Keystone To Rule Them All
- 27. Global Identity across US-WEST & US-EAST One Keystone To Rule Them All
- 28. One Keystone To Rule Them All
- 29. Global Identity • Pros – Highly Available – Global authentication across US-WEST and US-EAST • Cons – Token Size – Orchestration – Domain Specific Driver One Keystone To Rule Them All
- 30. Endpoint Grouping • Dynamic Endpoint Attribute Filtering • Endpoint Properties: – interface – service_id – region_id – Enabled One Keystone To Rule Them All
- 31. Endpoint Grouping – Regional Grouping POST /OS-EP-FILTER/endpoint_groups { "endpoint_group": { "description": "Creating a group for US-WEST endpoints", "filters": { "region_id": ”us-west" }, "name": "EP-GROUP-US-WEST" } } One Keystone To Rule Them All
- 32. Endpoint Grouping – Service Grouping POST /OS-EP-FILTER/endpoint_groups { "endpoint_group": { "description": "Creating a group for external service endpoints", "filters": { ”service_id": ”1510ad" }, "name": "EP-GROUP-SERVICE" } } One Keystone To Rule Them All
- 33. Endpoint Grouping – OpenStack Services POST /OS-EP-FILTER/endpoint_groups { "endpoint_group": { "description": "Creating a group for OpenStack services in US-WEST", "filters": { ”service_id": ”1510ad” #Keystone ”service_id": ”2110fc” #Nova ”service_id": ”4210da” #Glance “region_id”: “us-west” }, "name": "EP-GROUP-OpenStack" } } One Keystone To Rule Them All
- 34. Endpoint Grouping • Pros – Significantly Reduces the Token Size • Cons – Project Provisioning Workflow One Keystone To Rule Them All
- 35. Domain Specific Drivers - Juno One Keystone To Rule Them All Restart Identity Service
- 36. Domain Specific Drivers - Kilo PATCH $OS_URL/domains/$DOMAIN_ID/config -H "X-Auth-Token: $OS_TOKEN" -H "Content-type: application/json" -d’@domain.json'| jq . One Keystone To Rule Them All
- 37. Domain Specific Drivers – Kilo { "config": { "identity": { "driver": "keystone.identity.backends.ldap.Identity" }, "ldap": { "url": "ldaps://symantec.com:636", "user_id_attribute": "uid", "user_tree_dn": “ou=Accounts,dc=openstack,dc=symantec,dc=com", "user_filter": "(memberOf=cn=DomainA,ou=OpenstackDomains,dc=openstack,dc=symantec,dc=com)”, "query_scope": "sub", … } } }One Keystone To Rule Them All
- 38. One Keystone To Rule Them All
- 39. Q&A Let’s talk… One Keystone To Rule Them All
- 41. References • Introduction: – http://www.titanui.com/wp-content/uploads/2014/12/26/Crayon-Drawing-Love-Heart-Vector.jpg • Keystone Concepts: – http://icons.iconarchive.com/icons/icons-land/vista-people/256/Occupations-Bartender-Male-Light- icon.png – https://d30y9cdsu7xlg0.cloudfront.net/png/106464-200.png – https://cdn3.iconfinder.com/data/icons/interaction-design/512/Token_2-256.png – http://www.pcmadness.com.au/images/repair_icon.jpg – http://www.iconshock.com/img_jpg/BETA/networking/jpg/256/role_icon.jpg – https://www.websense.com/content/Assets/Images/master-database-globe.png • Federated Keystone – https://www.openstack.org/assets/presentation-media/os-federation-final.pdf One Keystone To Rule Them All
Notes de l'éditeur
- Identity Service Supports User Management One of the key component of user management is User User could be a real user (a human being), or a service user. User is associated with information such as user name, password, and which domain does this user belong to.
- User management consists of project and domain. Project is a tenant, group, a team within your organization. Domain is a collection of projects and users. Domain defines administrative boundaries for the projects and users. Domain may represent a company in public cloud and organization in private cloud.
- Role is an entity which defines a list of operations a user can perform in a given project/domain.
- Users may be given a domain's administrator role. A domain administrator may create projects, users, and groups within a domain and assign roles to users and groups.
- Token is bearer token, which is valid for certain amount of time. Token represents identity of any user, has all the information about that user including his roles in any project or domain. Token is the most sensitive information, anybody possessing your token can act on your behalf without any further verification required.
- Keystone supports Service Management. It maintains a list of different types of services in entire openstack cloud.
- Regions are generally geographically distributed areas.
- Endpoints for each service in openstack cloud. Each endpoint is associated with a service in keystone. Each endpoint has an URL where the service is hosted and has different types of interface.
- Three instances of keystone running on three different boxes All of these instances are running behind load balancer. Public endpoint and admin endpoint are hosted using VIP. MySQL cluster behind load balancer – most of the user management pieces, Domains, Projects, Roles, Services and their endpoints, Service Accounts LDAP instance behind load balancer – which maintains Users and Groups information, synced with corporate AD which is sitting outside of OpenStack cloud. Memcache store storing all the authentication tokens
- OpenStack Architecture
- TODO: Authentication Process, Authorization Process, CRUD Operations
- With Juno, Keystone offers Endpoint Grouping which introduces a dynamic endpoint attribute filtering capability that is directly associated with a project. The underlying idea of Endpoint Grouping is to provide a key-value based filtering strategy that groups service endpoints having the same characteristics. For example, endpoint grouping for Swift in US-WEST can be created with service=Swiftand region=US-WEST. Service endpoints can be easily managed according to their characteristics which can act as filters. The filter used must be an endpoint property, such as interface, service_id, region_id and enabled. Note that if using interface as a filter, the only available values are public, internal and admin. Service endpoints can belong to multiple groups which increases the level of granularity. For instance, endpoint groups limiting a certain service and limiting a certain region can be associated to a project to filter endpoints by that service and in that region.