2. What is OpenStack Identity?
What was accomplished in Ocata?
What are we achieving in Pike?
Looking ahead to Queens and Rocky
3. What is OpenStack Identity?
What was accomplished in Ocata?
What are we achieving in Pike?
Looking ahead to Queens and Rocky
4. What is OpenStack Identity?
a shared service for authentication, authorization, and auditing
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate
5. What is OpenStack Identity?
a shared service for authentication, authorization, and auditing
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate
6. What is OpenStack Identity?
a shared service for authentication, authorization, and auditing
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate
7. What is OpenStack Identity?
a shared service for authentication, authorization, and auditing
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate
8. What is OpenStack Identity?
What was accomplished in Ocata?
What are we achieving in Pike?
Looking ahead to Queens and Rocky
9. What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing
10. What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing
11. What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing
12. What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing
13. What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing
14. What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing
15. What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing
16. What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing
17. What is OpenStack Identity?
What was accomplished in Ocata?
What are we achieving in Pike?
Looking ahead to Queens and Rocky
18. What are we achieving in Pike?
registering and documenting default policies
unified limits
project tags
federated integration testing
integrating rolling upgrade tests
19. What are we achieving in Pike?
registering and documenting default policies
unified limits
project tags
federated integration testing
integrating rolling upgrade tests
20. What are we achieving in Pike?
registering and documenting default policies
unified limits
project tags
federated integration testing
integrating rolling upgrade tests
21. What are we achieving in Pike?
registering and documenting default policies
unified limits
project tags
federated integration testing
integrating rolling upgrade tests
22. What are we achieving in Pike?
registering and documenting default policies
unified limits
project tags
federated integration testing
integrating rolling upgrade tests
23. What are we achieving in Pike?
registering and documenting default policies
unified limits
project tags
federated integration testing
integrating rolling upgrade tests
24. What is OpenStack Identity?
What was accomplished in Ocata?
What are we achieving in Pike?
Looking ahead to Queens and Rocky
25. Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing
26. Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing
27. Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing
28. Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing
29. "Practice the 101 Percent Principle. Whenever possible, find the 1 percent you do agree on in
a difficult situation, and give it 100 percent of your effort."
John Maxwell
30. Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing
31. Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing
32. Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing
33. Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing
Editor's Notes
(Lance)
(Lance)
Intended Audience:
Operators
Product people
People I'm not expecting to attend:
Developers (I think the list of developers in attendance is going to be ultra short)
Approach the entire presentation with the end state of Operators and Product people at the forefront.
What do operators want to know?
What is changing that will impact how I operator/use keystone?
Is there anything new that will allow me automate things?
Is there anything I'm using now that might be going away soon? Why is it going away?
What do product people to know?
What is going to get my existing customer base excited?
Is there anything new compliance-wise that I can use to net new customers?
What usability improvements have been made?
Don't start with credentials or facts and figures. Start with a story if possible/applicable.
https://www.youtube.com/watch?v=e80BbX05D7Y
(Colleen; 2 - 4 minutes)
(Colleen)
(Colleen)
(Colleen)
(Colleen)
We could say we have a 98% adoption rate within OpenStack deployments as of the last User Survey (which came out recently - this might help give attendees a frame of reference as to when the metric was taken)
The first email I got about the user survey was from Heidi (from the Foundation) in February.
(Colleen; 5 - 7 minutes)
(Colleen; 5 - 7 minutes)
(Colleen; 5 - 7 minutes)
For a long time operators have had the problem of needing to run long-running operations that involve service-to-service communication, and in the middle of the operation the user's keystone token would expire, causing the services to reject the token and interrupt the operation. People were working around this by increasing the lifetime of tokens but that doesn't always work and longer token lifetimes are inherently less secure. We've eased the problem by allowing services to present users' just-expired tokens in conjunction with special service tokens to other services so that when a user starts a job with a valid token the token can be used to finish the job.
(Colleen; 5 - 7 minutes)
Traditional UUID tokens were stored in a database
Fernet tokens were introduced in kilo, non-persistent format means no replication across clusters, improved scalability, lower database traffic, easier database management
with positive feedback from operators at the Austin summit we made them the default
(Colleen; 5 - 7 minutes)
The work that we did making fernet ready to be the default token provider forced us to really think about how we were dealing with tokens and in the process of simplifying how tokens are validated we were able to clean up a lot of unnecessary revocation events and help reduce the flood of notifications
(Colleen; 5 - 7 minutes)
In previous cycles we added account controls so that operators could satisfy PCI Data Security Standards. This cycle we built on that work to make it easier to use, by
creating an API for password requirements so that tools like horizon could easily query, display, and validate password complexity requirements
creating an API that enables tooling for admins to search for users with expired passwords.
enhancing PCI-related notifications with reasons for the notifications (example: user is locked out for too many failed auth attempts)
Samuel’s talk is on Thursday at 4:10 PM Hynes Convention Center - Level 3 - MR 311. This should be promoted since he'll be talking about PCI and it will serve as a good presentation for folks interested in it. A lot of it will relate to the Ocata release.
https://www.openstack.org/summit/boston-2017/summit-schedule/events/18281/security-hardening-pci-dss-and-security-compliance-within-keystone
(Colleen; 5 - 7 minutes)
We now have the ability to enhance user account security by requiring multiple authentication mechanisms on a per-user basis, such as password plus time-based one-time passcode
We avoided adding this for a while because we pushed the responsibility onto external identity services, but users wanted this feature for non-federated users
(Colleen; 5 - 7 minutes)
There used to be no straightforward way to assign federated users roles in projects, now we're able to use mapping rules to link users to projects before they've logged in and even have projects created automatically created for them
(Colleen; 5 - 7 minutes)
We're making the v3 API the default in our integration gate testing
v3 == the domain-aware API
hard-coded assumptions have made this hard
going to ensure stability in this API version and get us further down the road of deprecating the v2 API
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
think nova and neutron resource tags
implemented according to the API WG guidelines
(Lance; 5 - 7 minutes)
framework for integration testing is in place
now we need to build out the coverage
(Lance; 5 - 7 minutes)
rolling upgrades have been around since newton
last thing we need to do to assert the rolling upgrade tag
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
OpenStack has evolved over the last 5 years, policy hasn't
Provide better defaults upstream
(Lance; 5 - 7 minutes)
Today we violate the principle of least privilege
Fixing policy is going to be an OpenStack-wide effort
Outline to roadmap so we can work on policy together
Per API Role Based Access Control with Adam and Kristi Tomorrow at 4:30 in the convention center room 311
(Lance; 5 - 7 minutes)
Building on the unified limits approach
Provides consistent quota usage across OpenStack
(Lance)
Policy and quotas have been problems across OpenStack for a long time
We're finally making progress as a group
Finding the actual things we agree on
Focusing on the things we have in common instead of conflict
(Lance; 5 - 7 minutes)
Specification has been proposed
Result of decoupling authentication from your identity
Native API key support is a possible next step
Improved security
(Lance; 5 - 7 minutes)
Bring up a use case here (like domain admin) to make this easier for folks to understand. This would make it so keystone doesn't need new configs when adding new identity providers. Instead a domain admin could add new identity providers via the API.
Domain admin case