Escolar Documentos
Profissional Documentos
Cultura Documentos
:: Keystne
:: Etan Intoducton
Kurt :: 1 :: ::
Advertsing
Me
Team
:: Etan Kurt :: 2 ::
:: Etan Kurt :: 3 ::
:: Etan Kurt :: 4 ::
:: Etan Kurt :: 5 ::
:: Etan Kurt :: 6 ::
:: Etan Kurt :: 7 ::
:: Etan Kurt :: 8 ::
Histry of keystne
- Austn (nova, swift) (21/Oct/2010)
- Bexar (glance, nova, swift)
- Catcus (glance, nova, swift)
- Diablo (glance, nova, swift)
- Essex (glance, horizon, keystne V2.o nova, swift)
(05/Apr/2012)
- Folsom, Grizzly, Havana, Icehouse, Juno, Kilo (te last of V2.0) Apr, 2015
- Libert (Start v3.0 15/Oct/2015)
- Mitaka (Keystne v3 Latst Release)
- Newtn (Current 06/Oct/2010)
:: Etan Kurt :: 9 ::
What is keystne?
- Identt Service
- Cental autentcaton &
autorizaton systm
(Single point aut for al
OpenStack services)
- Auditng
- OpenService Discovery
- Supports intgraton wit
a variet of Identt providers
- Keystne should be te
frst service t be instaled
:: Keystne
:: Etan Kurt
Intoducton
:: 10 :: ::
Components of keystne
User
Tenant/Project
Role
Token
Endpoint
Service
:: Keystne
:: Etan Intoducton
Kurt :: 11 :: ::
User (User)
- A user represent a human user and has associat informaton
such as username (credental), password (credental) and email.
Tenant/Project (Group)
- A container t group and isolat resources and users. It must
specif in order t make requests t services. (Represent a custmer,
organizaton or a group.)
Role (Permission)
- Includes a set of rights for performing specifc actons tat can
be assigned t a specifc user. (A role is what operatons a user is
permited t perform in given tnant.
:: Keystne
:: Etan Kurt
Intoducton
:: 12 :: ::
Token
- a short message returned by Keystne and used for accessing services.
Each tken has a scope which describes which resources are accessible
wit it.
Endpoint
- an address accessible over a network, described by URL, fom where
it is possible t make requests t OpenStack services.
Service
- provides one or more endpoints trough which users can access resources
and perform operatons. (e.g. Swift, Nova, Neuton, etc.)
- A service is identfed by: identfcaton number, name, service tpe
and descripton
:: OpenStack for you and your entrprise ::
:: Keystne
:: Etan Intoducton
Kurt :: 13 :: ::
:: Keystne
:: Etan Kurt
Intoducton
:: 14 :: ::
APIs Securit
:: Etan Kurt
:: 15 :: ::
:: Keystne
Intoducton
APIs Endpoints
Client
Comput
Object
Strage
Block Strage
API
Rest, XML-RPC, SOAP ...
Networking
Identt
Not:
APIs are your point of contact fom extrnal world, you must make te highly secure!
Firewals are not enough because anyting can be sent over htp/htps ...
:: OpenStack for you and your entrprise ::
:: Etan Kurt
:: 16 :: ::
:: Keystne
Intoducton
:: Etan Kurt :: 17 ::
OpenStack APIs
Al OpenStack software is
based on APIs. End custmer
and tols t access te platform
programatcaly.
Among OpenStack components,
is a way of decoupling components
implementatons.
Easily fom
'curl' tols
OpenStack
command line
tols
Restfl API
OpenStack
Rest clients
software
development
Kit (SDK)
:: Etan Kurt :: 18 ::
:: Etan Kurt :: 19 ::
:: Etan Kurt :: 20 ::
Use of MACs at te OS level severely limit access t resources and provide earlier
altring on such events.
:: Etan Kurt :: 21 ::
Te power of keystne
:: Etan Kurt :: 22 ::
Te power of keystne
:: Etan Kurt :: 23 ::
Te power of keystne
:: Etan Kurt :: 24 ::
Te power of keystne
Single Point Autentcaton for al
OpenStack services
Single sign-on t OpenStack services
Reduces exposure of credentals
:: Etan Kurt :: 25 ::
Contnuous Securit
:: Etan Kurt :: 26 ::
Contnuous Securit
Which tken should I use for securit purpose Luke?
- UUID,
- PKI,
- PKIZ,
- FERNET
Horizon and Fernet
- Yes, Fernet tken work wit Horizon
- Libert and beyond No patches necessary
- Kilo Needs a patch for DOA (Django OpenStack Aut)
- htps://review.openstack.org/#/c/169994
:: Etan Kurt :: 27 ::
Contnuous Securit
Cookie Backend
- Secure cookies, use htps (High-level Certfcats)
- CSRF_COOKIE_SECURE = True
- SESSION_COOKIE_SECURE = True
htp://docs.openstack.org/developer/horizon/tpics/setings.html
htp://docs.openstack.org/securit-guide/dashboard/cookies.html
Of course, you need taditonal securit, Bob
:: Etan Kurt :: 28 ::
Tank You!
:: Etan Kurt :: 29 ::