OPENSTACK KEYSTONE IDENTITY SERVICE Kavit Munshi, CTO, Aptira
WHAT IS KEYSTONE? Keystone is an OpenStack project that provides Identity, Token, Catalog and Policy services for use specifically by projects in the OpenStack family. It implements OpenStack’s Identity API. The Identity services has two primary functions:
- User management: keep track of users and what they are permitted to do
- Service catalog: Provide a catalog of what services are available and where their API endpoints are located
KEYSTONE ARCHITECTURE Keystone is organized as a group of internal services exposed on one or many endpoints.
1) Identity: The Identity service provides auth credential validation and data about Users, Tenants and Roles, as well as any associated metadata.
2) Token: The Token service validates and manages Tokens used for authenticating requests once a user/tenant’s credentials have already been verified.
3) Catalog: The Catalog service provides an endpoint registry used for endpoint discovery.
4) Policy: The Policy service provides a rule-based authorization engine
KEYSTONE ARCHITECTURE Each of the services can configured to use a backend to allow Keystone to fit a variety of environments and needs. The backend for each service is defined in the keystone.conf file
1) KVS Backend: A simple backend interface meant to be further backended on anything that can support primary key lookups
2) SQL Backend: A SQL based backend using SQLAlchemy to store data persistently.
3) PAM Backend: Extra simple backend that uses the current system’s PAM service to authenticate, providing a one-to-one relationship between Users and Tenants.
4) LDAP Backend: The LDAP backend stored Users and Tenents in separate Subtrees.
5) Templated Backend: A simple Template used to configure Keystone
KEYSTONE USER MANAGEMENT The three main concepts of Identity user management are:
1) Users: A user represents a human user, and has associated information such as username, password and email.
2) Tenants: A tenant can be thought of as a project, group, or organization. Whenever you make requests to OpenStack services, you must specify a tenant.
3) Roles: A role captures what operations a user is permitted to perform in a given tenant.
KEYSTONE SERVICE MANAGEMENT Keystone also acts as a service catalog to let other OpenStack systems know where relevant API endpoints exist for OpenStack Services. The two main concepts of Identity service management are:
- Services - Endpoints
The Identity service also maintains a user that corresponds to each service (e.g., a user named nova, for the Compute service) and a special service tenant, which is called service.
INSTALLING AND SETTING UP KEYSTONE Keystone can be either be installed from the source or platform specific packages available with various distributions. For the purposes of this presentation we will use Ubuntu 12.04 with platform specific packages available in the repositories. - sudo apt-get install keystone - sudo apt-get install python-mysqldb mysql-server (install mysqldb to replace the default SQL lite DB) - mysql> CREATE DATABASE keystone; (Create mysql database for the keystone to use) - mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '[YOUR_KEYSTONE_PASSWORD]'; (Create mysql user to access the keystone DB) - Change connection line in /etc/keystone.conf connection = mysql://keystone:[YOUR_KEYSTONE_PASSWORD]@[YOUR_KEYSTONE_SERVER]/key stone - admin_token = 012345SECRET99TOKEN012345 (Set service token in keystone.conf) - service keystone restart (Restart the keystone service to apply the changes - keystone-manage db_sync (Initialise the new keystone database)
KEYSTONE USER MANAGEMENT 1) Create a user called Kavit keystone user-create --name=kavit --pass=test123 --email@example.com
2) Create a tenant called test keystone tenant-create --name=test
3) Create a role to use on our system keystone role-create –name=admin
4) Associate the role and the user with the tenant keystone user-role-add --user=USERID –role=ROLEID –tenant_id=TENANTID
KEYSTONE SERVICE MANAGEMENT 1) Create service tenant. This tenant contains all the services that we make known to the service catalog. keystone tenant-create –name=service
2) Create users for each Openstack service in the service catalog keystone user-create –name=nova –pass=test123 -- firstname.lastname@example.org
3) Give admin roles to the users nova, glance, etc to the tenant service.
4) Now that we have tenants, users and roles for each of the users, we need to create the services we wish authenticate users for. keystone service-create --name nova --type compute --description ’OpenStack Compute Service’
KEYSTONE SERVICE MANAGEMENT
5) Once the services are created, we will need to associate the endpoints or network addresses where clients might connect to the services offered.