OpenStack Keystone Pike Project Update

•Download as PPTX, PDF•

0 likes•175 views

Lance Bragstad

Colleen Murphy and I gave the Pike Project update in Boston at the OpenStack summit, May 2017.

Engineering

Pike Project Update
Lance Bragstad (@LanceBragstad)
Colleen Murphy (@_colleenm)

What is OpenStack Identity?
What was accomplished in Ocata?
What are we achieving in Pike?
Looking ahead to Queens and Rocky

What is OpenStack Identity?
a shared service for authentication, authorization, and auditing
supplies identity information to end users and services
broker between OpenStack and other identity services
98% adoption rate

What was accomplished in Ocata?
eased the burden of long running operations
fernet tokens became the default
smarter use of revocation
improved PCI-DSS usability
multifactor authentication via time-based one-time passwords (TOTP)
federated auto-provisioning
version 3 API gate testing

What are we achieving in Pike?
registering and documenting default policies
unified limits
project tags
federated integration testing
integrating rolling upgrade tests

Looking ahead to Queens and Rocky
well-defined roles by default
improving policy security
hierarchical limits and quotas
API keys
native SAML support
account linking
continued integration testing

"Practice the 101 Percent Principle. Whenever possible, find the 1 percent you do agree on in
a difficult situation, and give it 100 percent of your effort."
John Maxwell

What's hot

NGSIv2 Overview for Developers that Already Know NGSIv1FIWARE

Amazon CI/CD Practices for Software Development Teams - SRV320 - Chicago AWS ...Amazon Web Services

Integrating Security Controls into the Development and Delivery PipelineAkamai Developers & Admins

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible

Henrique Dantas - API fuzzing using SwaggerDevSecCon

Chaos Engineering: Why Breaking Things Should Be Practiced - AWS Developer Wo...Amazon Web Services

The Future of OpsTyler Treat

Spring on PAS - Fabio MarinelliVMware Tanzu

Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype

The Observability PipelineTyler Treat

What's hot (10)

NGSIv2 Overview for Developers that Already Know NGSIv1

Amazon CI/CD Practices for Software Development Teams - SRV320 - Chicago AWS ...

Integrating Security Controls into the Development and Delivery Pipeline

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...

Henrique Dantas - API fuzzing using Swagger

Chaos Engineering: Why Breaking Things Should Be Practiced - AWS Developer Wo...

The Future of Ops

Spring on PAS - Fabio Marinelli

Static Analysis For Security and DevOps Happiness w/ Justin Collins

The Observability Pipeline

Similar to OpenStack Keystone Pike Project Update

OpenStack Keystone Rocky Project UpdateLance Bragstad

OpenStack Keystone Stein Project UpdateLance Bragstad

Keystone Project OnboardingLance Bragstad

apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays

From Monoliths to Microservices at Realestate.com.auevanbottcher

wepik-maximizing-efficiency-mastering-rest-api-implementation-20240419020545U...AllstuffRj

Recipes for a successful production cloudfoundry deployment - CF Summit 2014Vinícius Carvalho

Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...VMware Tanzu

Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Amazon Web Services

Oracle API Platform Cloud Service Best Practices & Lessons Learntluisw19

Istio: Using nginMesh as the service proxyLee Calcote

apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays

Evaluating and Testing Web APIsSmartBear

Netflix MSA and PivotalVMware Tanzu Korea

Stop reinventing the wheel with Istio by Mete Atamel (Google)Codemotion

Dev309 from asgard to zuul - netflix oss-finalRuslan Meshenberg

OpenStack Summit Berlin - Keystone Project On-boardingLance Bragstad

AWS Serverless API Management - MeetupSamuel Vandecasteele

2016 06 - design your api management strategy - axway - Api ManagementSmartWave

2022 apidays LIVE Helsinki & North_Why webhook APIs are REST APIs perfect sid...apidays

Similar to OpenStack Keystone Pike Project Update (20)

OpenStack Keystone Rocky Project Update

OpenStack Keystone Stein Project Update

Keystone Project Onboarding

apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...

From Monoliths to Microservices at Realestate.com.au

wepik-maximizing-efficiency-mastering-rest-api-implementation-20240419020545U...

Recipes for a successful production cloudfoundry deployment - CF Summit 2014

Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...

Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...

Oracle API Platform Cloud Service Best Practices & Lessons Learnt

Istio: Using nginMesh as the service proxy

apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu

Evaluating and Testing Web APIs

Netflix MSA and Pivotal

Stop reinventing the wheel with Istio by Mete Atamel (Google)

Dev309 from asgard to zuul - netflix oss-final

OpenStack Summit Berlin - Keystone Project On-boarding

AWS Serverless API Management - Meetup

2016 06 - design your api management strategy - axway - Api Management

2022 apidays LIVE Helsinki & North_Why webhook APIs are REST APIs perfect sid...

Recently uploaded

Past, Present and Future of Generative AIabhishek36461

Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441

Electronically Controlled suspensions system .pdfme23b1001

Application of Residue Theorem to evaluate real integrations.pptx959SahilShah

Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran

Earthing details of Electrical Substationstephanwindworld

Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721

Introduction-To-Agricultural-Surveillance-Rover.pptxk795866

CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani

Indian Dairy Industry Present Status and.pptMadan Karki

9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Low Rate Call Girls In Saket, Delhi NCR

INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12

welding defects observed during the weldingMuhammadUzairLiaqat

Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774

Design and analysis of solar grass cutter.pdfTagore Institute of Engineering And Technology

Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913

lifi-technology with integration of IOT.pptxsomshekarkn64

TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1

Oxy acetylene welding presentation note.eptoze12

CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani

Recently uploaded (20)

Past, Present and Future of Generative AI

Instrumentation, measurement and control of bio process parameters ( Temperat...

Electronically Controlled suspensions system .pdf

Application of Residue Theorem to evaluate real integrations.pptx

Introduction to Machine Learning Unit-3 for II MECH

Earthing details of Electrical Substation

Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync

Introduction-To-Agricultural-Surveillance-Rover.pptx

CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf

Indian Dairy Industry Present Status and.ppt

9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf

INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE

welding defects observed during the welding

Arduino_CSE ece ppt for working and principal of arduino.ppt

Design and analysis of solar grass cutter.pdf

Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg

lifi-technology with integration of IOT.pptx

TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers

Oxy acetylene welding presentation note.

CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf

OpenStack Keystone Pike Project Update

1. Pike Project Update Lance Bragstad (@LanceBragstad) Colleen Murphy (@_colleenm)

2. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky

3. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky

4. What is OpenStack Identity? a shared service for authentication, authorization, and auditing supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate

5. What is OpenStack Identity? a shared service for authentication, authorization, and auditing supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate

6. What is OpenStack Identity? a shared service for authentication, authorization, and auditing supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate

7. What is OpenStack Identity? a shared service for authentication, authorization, and auditing supplies identity information to end users and services broker between OpenStack and other identity services 98% adoption rate

8. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky

9. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing

10. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing

11. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing

12. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing

13. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing

14. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing

15. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing

16. What was accomplished in Ocata? eased the burden of long running operations fernet tokens became the default smarter use of revocation improved PCI-DSS usability multifactor authentication via time-based one-time passwords (TOTP) federated auto-provisioning version 3 API gate testing

17. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky

18. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests

19. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests

20. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests

21. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests

22. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests

23. What are we achieving in Pike? registering and documenting default policies unified limits project tags federated integration testing integrating rolling upgrade tests

24. What is OpenStack Identity? What was accomplished in Ocata? What are we achieving in Pike? Looking ahead to Queens and Rocky

25. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing

26. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing

27. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing

28. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing

29. "Practice the 101 Percent Principle. Whenever possible, find the 1 percent you do agree on in a difficult situation, and give it 100 percent of your effort." John Maxwell

30. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing

31. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing

32. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing

33. Looking ahead to Queens and Rocky well-defined roles by default improving policy security hierarchical limits and quotas API keys native SAML support account linking continued integration testing

Editor's Notes

(Lance)
(Lance) Intended Audience: Operators Product people People I'm not expecting to attend: Developers (I think the list of developers in attendance is going to be ultra short) Approach the entire presentation with the end state of Operators and Product people at the forefront. What do operators want to know? What is changing that will impact how I operator/use keystone? Is there anything new that will allow me automate things? Is there anything I'm using now that might be going away soon? Why is it going away? What do product people to know? What is going to get my existing customer base excited? Is there anything new compliance-wise that I can use to net new customers? What usability improvements have been made? Don't start with credentials or facts and figures. Start with a story if possible/applicable. https://www.youtube.com/watch?v=e80BbX05D7Y
(Colleen; 2 - 4 minutes)
(Colleen)
(Colleen)
(Colleen)
(Colleen) We could say we have a 98% adoption rate within OpenStack deployments as of the last User Survey (which came out recently - this might help give attendees a frame of reference as to when the metric was taken) The first email I got about the user survey was from Heidi (from the Foundation) in February.
(Colleen; 5 - 7 minutes)
(Colleen; 5 - 7 minutes)
(Colleen; 5 - 7 minutes) For a long time operators have had the problem of needing to run long-running operations that involve service-to-service communication, and in the middle of the operation the user's keystone token would expire, causing the services to reject the token and interrupt the operation. People were working around this by increasing the lifetime of tokens but that doesn't always work and longer token lifetimes are inherently less secure. We've eased the problem by allowing services to present users' just-expired tokens in conjunction with special service tokens to other services so that when a user starts a job with a valid token the token can be used to finish the job.
(Colleen; 5 - 7 minutes) Traditional UUID tokens were stored in a database Fernet tokens were introduced in kilo, non-persistent format means no replication across clusters, improved scalability, lower database traffic, easier database management with positive feedback from operators at the Austin summit we made them the default
(Colleen; 5 - 7 minutes) The work that we did making fernet ready to be the default token provider forced us to really think about how we were dealing with tokens and in the process of simplifying how tokens are validated we were able to clean up a lot of unnecessary revocation events and help reduce the flood of notifications
(Colleen; 5 - 7 minutes) In previous cycles we added account controls so that operators could satisfy PCI Data Security Standards. This cycle we built on that work to make it easier to use, by creating an API for password requirements so that tools like horizon could easily query, display, and validate password complexity requirements creating an API that enables tooling for admins to search for users with expired passwords. enhancing PCI-related notifications with reasons for the notifications (example: user is locked out for too many failed auth attempts) Samuel’s talk is on Thursday at 4:10 PM Hynes Convention Center - Level 3 - MR 311. This should be promoted since he'll be talking about PCI and it will serve as a good presentation for folks interested in it. A lot of it will relate to the Ocata release. https://www.openstack.org/summit/boston-2017/summit-schedule/events/18281/security-hardening-pci-dss-and-security-compliance-within-keystone
(Colleen; 5 - 7 minutes) We now have the ability to enhance user account security by requiring multiple authentication mechanisms on a per-user basis, such as password plus time-based one-time passcode We avoided adding this for a while because we pushed the responsibility onto external identity services, but users wanted this feature for non-federated users
(Colleen; 5 - 7 minutes) There used to be no straightforward way to assign federated users roles in projects, now we're able to use mapping rules to link users to projects before they've logged in and even have projects created automatically created for them
(Colleen; 5 - 7 minutes) We're making the v3 API the default in our integration gate testing v3 == the domain-aware API hard-coded assumptions have made this hard going to ensure stability in this API version and get us further down the road of deprecating the v2 API
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes) think nova and neutron resource tags implemented according to the API WG guidelines
(Lance; 5 - 7 minutes) framework for integration testing is in place now we need to build out the coverage
(Lance; 5 - 7 minutes) rolling upgrades have been around since newton last thing we need to do to assert the rolling upgrade tag
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes)
(Lance; 5 - 7 minutes) OpenStack has evolved over the last 5 years, policy hasn't Provide better defaults upstream
(Lance; 5 - 7 minutes) Today we violate the principle of least privilege Fixing policy is going to be an OpenStack-wide effort Outline to roadmap so we can work on policy together Per API Role Based Access Control with Adam and Kristi Tomorrow at 4:30 in the convention center room 311
(Lance; 5 - 7 minutes) Building on the unified limits approach Provides consistent quota usage across OpenStack
(Lance) Policy and quotas have been problems across OpenStack for a long time We're finally making progress as a group Finding the actual things we agree on Focusing on the things we have in common instead of conflict
(Lance; 5 - 7 minutes) Specification has been proposed Result of decoupling authentication from your identity Native API key support is a possible next step Improved security
(Lance; 5 - 7 minutes) Bring up a use case here (like domain admin) to make this easier for folks to understand. This would make it so keystone doesn't need new configs when adding new identity providers. Instead a domain admin could add new identity providers via the API. Domain admin case
(Lance; 5 - 7 minutes) federation ldap local sql users seamless experience
(Lance; 5 - 7 minutes) Performance and integration are things we care about Continued theme moving forward now that we have the framework
(Lance; leave 10 minutes) Time to take comments and questions.

OpenStack Keystone Pike Project Update

Recommended

Recommended

More Related Content

What's hot

What's hot (10)

Similar to OpenStack Keystone Pike Project Update

Similar to OpenStack Keystone Pike Project Update (20)

Recently uploaded

Recently uploaded (20)

OpenStack Keystone Pike Project Update

Editor's Notes