Hacking KeystoneVictor Morales

@electrocucarach

Agenda

• Context

• What is keystone?

• History

• Demo

# keystone-manage

# keystone-all

– Installation (operator perspective)

– Installation (developer perspective)

Cloud computing is a

specialized form of

distributed computing that

introduces utilization models for remotely

provisioning scalable and

measured IT resources.

Organization name Month dd, yyyy

Service Models

Deployment models

OpenStack is a cloud

operating system that

controls large pools of

compute, storage, and

networking resources throughout a data center, all managed through a dashboard …

6

Definition

Keystone is the identity service used by

OpenStack for authentication (authN) and

high-level authorization (authZ). It currently

supports token-based authN and user-service

authorization.

If you're interested in identity for OpenStack, we hold public meetings weekly on IRC in #openstack-meeting, on

Tuesdays at 18:00 UTC.

Releases

• Essex: – Supports S3 token validation and additional Swift storage features

• Folsom: – PKI Support for authentication.

• Grizzly:– New API (V3)

• Havana:– General performance improvements

• Icehouse:– The assignments backend has now been completely separated from the identity

backend.

• Juno:– Multiple Identity backends– LDAPs now available– Keystone-to-Keystone Federation(experimental).

API

• catalog

• ec2-credentials– create

– delete

– get

– List

• endpoint– create

– delete

– get

– list

• password

– update

• role– create

– delete

– get

– List

• service– Create

– Delete

– get

– list

• tenant– create

– delete

– get

– List

• token– Get

• user– create

– delete

– Get

– list

– update

– password-update

• user-role– add

– list

– Remove

• discover

• bootstrap

• bash– completition

keystone-all

It starts both the service and administrative APIs in a single

process to provide catalog, authorization, and authentication

services for OpenStack.

--config-dir DIR

Path to a config directory to pull *.conf files from

--config-file PATH

Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence.

keystone-manage

It’s the command line tool which interacts with the Keystone service to initialize and update data within Keystone. Generally, keystone-manage is only used for operations that cannot be accomplished with the HTTP API, such data import/export and database migrations.

Available commands:• db_sync: Sync the database.• db_version: Print the current migration version of the database.• mapping_purge: Purge the identity mapping table.• pki_setup: Initialize the certificates used to sign tokens.• saml_idp_metadata: Generate identity provider metadata.• ssl_setup: Generate certificates for SSL.• token_flush: Purge expired tokens.

Installation 1/2

• Operator perspective (Ubuntu):

# echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/icehouse main" >> /etc/apt/sources.list.d/icehouse.list

# apt-get update

# apt-get -y install ubuntu-cloud-keyring

# apt-get update

# apt-get -y install keystone

Configure /etc/keystone/keystone.conf

# keystone-manage db_sync

# service keystone restart

Installation 2/2

• Developer perspective :

$ sudo apt-get install –y git screen python-pip python-virtualenv python-dev libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev libffi-dev

$ git clone https://github.com/openstack/keystone.git

$ cd keystone

$ python tools/install_venv.py

$ mv etc/keystone.conf.sample etc/keystone.conf

Configure /etc/keystone/keystone.conf

$ tools/with_venv.sh bin/keystone-manage db_sync

$ screen -dmS "keystone_service" tools/with_venv.sh bin/keystone-all