OPENSTACK FOR VSPECIALISTS

MODULE 4: OPENSTACK IDENTITY SERVICE (KEYSTONE)

EMC CONFIDENTIAL—INTERNAL USE ONLY 1

MODULE 4: OPENSTACK IDENTITY (KEYSTONE)

Upon completion of this module, you should be able

to:
• Understand the components of the OpenStack
Identity service
• Explain the OpenStack project and user model
• Explain the structure and function of the OpenStack
service catalog

EMC CONFIDENTIAL—INTERNAL USE ONLY 2

KEYSTONE OVERVIEW
• Keystone consists of set of internal Keystone
API
services exposed on one or multiple
endpoints, used in concert
• Each service supports range of
backends, including shims for existing Identity Policy
auth systems
• Keystone is a dependency for every
other core service (except Swift) Resource Catalog

• Keystone project team also produces

Keystone middleware library for user
Assignment Token
authentication
• python-keystoneclient CLI deprecated Service backends
in favor of python-openstackclient
(supports v2 and v3 API)
EMC CONFIDENTIAL—INTERNAL USE ONLY 3
BASIC CONCEPTS: SERVICE CATALOG
• Catalog service maintains an endpoint
registry for discovery of all available
service endpoints
• When a new service is deployed, cloud
admin can create the appropriate
endpoint in the catalog
• Horizon queries the catalog to
determine what services are available
for administration via dashboards
• Endpoint can have up to three types of
URLs: adminURL, internalURL,
publicURL
EMC CONFIDENTIAL—INTERNAL USE ONLY 4
SERVICE CATALOG ENDPOINT TYPES
• Service’s publicURL is the default
for external clients to make
requests against
• Separate internalURL allows
deployers to configure a separate
security domain for services to call
each other’s endpoints in the
course of processing, for traffic
1 1..n 1 1..n
isolation Catalog Service Endpoint

• Services may also expose different

operations on adminURL vs. Multiple endpoints
publicURL: Keystone V2.0 does so, for a service occur
when Keystone
listening on two ports by default contains data for
multiple regions
EMC CONFIDENTIAL—INTERNAL USE ONLY 5
BASIC CONCEPTS: RESOURCE
• Projects: the basic unit of resource ownership in OpenStack. Known as tenants
in v2.0 API. Resource quotas apply at the project level. Users are associated
with one or more projects.
• Domains: introduced in v3.0 as containers for projects, users, and groups.
Project, user, and group names must be unique in a domain. Default domain is
‘Default’. Domains may use unique identity drivers.
0..n
Instance

1 1..n 1 owns
Domain Project
0..n
Network
1 1 1..n

0..n 0..n
Volume
0..n 0..n
Group User
0..n
Container

0..n …
EMC CONFIDENTIAL—INTERNAL USE ONLY 6
BASIC CONCEPTS: IDENTITY & ROLES
• Users: represent basic API consumers
1 0..n 1
and belong to a domain. Many Domain User

OpenStack services require service 1 0..n

users to interact with other services.
• Groups: collections of users belonging 0..n
to a domain 0..n
Group

• Roles: control level of authorization for

actions. Assigned to users or groups.
Role names are globally unique. Role Assignment

• Role assignments: Triples of (Role, Domain | User |

Role
Resource, Identity). Roles therefore Project Group

assigned relative to project or domain.

EMC CONFIDENTIAL—INTERNAL USE ONLY 7
BASIC CONCEPTS: POLICY
• Keystone Policy service is a rule-based authorization engine
with rule management interface
• Keystone itself requires special role ‘admin’ for most operations
– Role created during cloud deployment
– Role associated on default domain: assigning ‘admin’ to a user
grants privileged access across the cloud
• To Keystone, a role is a name. Significance of roles is defined by
the policy of a target service.
• Services use policy.json files to define rules and associate them
with resources and operations (e.g. /etc/nova/policy.json)

EMC CONFIDENTIAL—INTERNAL USE ONLY 8

BASIC CONCEPTS: TOKEN
• Tokens: Created by Keystone on a
successful authentication request
Glance API makes request to
Keystone to validate auth-
token, and receives updated
authorization headers

• Authentication: requires presentation

of identity and resource information and Keystone
a secret, e.g. user, project, and
password information HTTP
Glance
• Tokens passed in for requests to other
services after authentication. Multiple HTTP
token formats are supported (UUID,
PKI(Z), Fernet) Client Client app makes a REST
API call to Glance,
passing in auth-token
• Token validation provides identity and previously obtained from
association information to services, as Keystone.

input for policy decisions

EMC CONFIDENTIAL—INTERNAL USE ONLY 9
KEY SERVICE OPERATIONS
• User authentication
$ openstack catalog …
• Token creation and validation $ openstack service …
$ openstack endpoint …
• Service catalog lookups $ openstack project …
$ openstack user …
• CRUD operations on services, $ openstack group …
endpoints, projects, users, groups, $ openstack role …
and roles
– Admin role required for entity CRUD $ openstack help user create
– Operations may be restricted by the
type of backend provider used for $ openstack catalog list
identity, e.g. read-only LDAP

EMC CONFIDENTIAL—INTERNAL USE ONLY 10

HOW TO AUTHENTICATE USING CLI’S
• To authenticate, Keystone will need user’s identity, resource, and
authentication information (e.g. password)
• Client also needs to be provided with endpoint (publicURL) for
Keystone
– All other service endpoints can be retrieved from Keystone service catalog

• Parameters can be passed in as arguments to CLI, but more typically

set as special environment variables in the shell

EMC CONFIDENTIAL—INTERNAL USE ONLY 11

NOTES ON USING CLI’S
• Use ‘-h’ command to any client to get a listing of all available
commands
– $ openstack –h # list all available top-level commands
– $ openstack –h | grep token # use grep to narrow listing to keyword of interest

• Use ‘help’ command to return detailed help on any command

EMC CONFIDENTIAL—INTERNAL USE ONLY 12

SERVICE ARCHITECTURE
Clients
• API implemented using PasteDeploy
HTTP
WSGI application pipeline
httpd2 • For security, should be deployed in
mod_wsgi Apache2 running mod_wsgi and TLS

WSGI • API connects to one or more service

Backend drivers
Catalog: SQL, KVS, templated
Identity: SQL, LDAP
Resource: SQL, LDAP
Service
Service Assignment: SQL, LDAP
backend
backend Policy: rules, SQL
Token: SQL, KVS, memcache
EMC CONFIDENTIAL—INTERNAL USE ONLY
backends via drivers, depending on
configuration in keystone.conf
• SQL driver uses Keystone managed DB
via SQLAlchemy as usual
• Keystone supports caching layer above
token, resource, and role backends via
dogpile.cache library
13
WHAT IDENTITY DRIVERS ARE IN USE?

Source: OpenStack User Survey, October 2015

EMC CONFIDENTIAL—INTERNAL USE ONLY 14

TOKEN PERSISTENCE
• In order to validate tokens, Keystone must persist
them through their expiration time
• CLI clients will generate a new token per request,
leading to rapid proliferation of tokens
• SQL backend does not automatically purge expired
tokens, requires admin to manually flush
– $ keystone-manage token_flush

• Recommended to use alternate backend like

memcached or KVS (redis) for token management
• expiration parameter in keystone.conf sets the TTL
for a token in seconds (default is 3600s = 1hr)

EMC CONFIDENTIAL—INTERNAL USE ONLY 15

KEYSTONE MIDDLEWARE
• keystonemiddleware project produces the WSGI middleware filter for
services to authenticate requests via Keystone auth_tokens
– API middleware configured in <codename>.conf file for each service

• Keystone also provides optional audit middleware to generate audit

events for API requests

Source: http://docs.openstack.org/developer/keystonemiddleware/audit.html
EMC CONFIDENTIAL—INTERNAL USE ONLY 16
OPTIONAL: KEYSTONE FEDERATION
• Keystone can be configured as Service Provider trusting identity
properties issued by external Identity Provider managing users
and groups (e.g. SAML, OpenID)
• Keystone can also serve as Identity Provider to federate
multiple Keystone deployments in different clouds
– Cloud1 token -> SAML assertions -> Cloud2 token

• Goal: access resources across multiple OpenStack clouds using

same identity and credentials
– Prototype demoed in 2015 Vancouver Summit keynote
– Video available for discussion of prototype of Keystone-to-
Keystone federation in summit breakout session (OpenStack in
AWS + BlueBox)
EMC CONFIDENTIAL—INTERNAL USE ONLY 17
EC2-COMPATIBLE CREDENTIALS
• Keystone can also generate an EC2-compatible set of credentials for a
given user (openstack ec2 credentials list)
• These credentials would be used for instead of the OpenStack user
credentials to authenticate with Nova EC2 and Swift S3 API’s
• Credentials can be retrieved via CLI or Horizon for a user

EMC CONFIDENTIAL—INTERNAL USE ONLY 18