book

Identity, Authentication, and Access Management in OpenStack

by Steve Martinelli, Henry Nash, Brad Topol

December 2015

Beginner

130 pages

3h 8m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
PrologueConventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgments
Introduction
Identity, Authentication, and Access Management Capabilities of KeystoneIdentityAuthenticationAccess Management (Authorization)Keystone’s Primary Benefits
1. Fundamental Keystone Topics
1.1 Keystone Concepts1.1.1 What’s a Project?1.1.2 What’s a Domain?1.1.3 Users and User Groups (Actors)1.1.4 Roles1.1.5 Assignment1.1.6 Targets1.1.7 What’s a Token?1.1.8 What’s a Catalog?1.2 Identity1.2.1 SQL1.2.2 LDAP1.2.3 Multiple Backends1.2.4 Identity Providers1.2.5 Use Cases for Identity Backends1.3 Authentication1.3.1 Password1.3.2 Token1.4 Access Management and Authorization1.5 Backends and Services1.6 FAQs
2. Let’s Use Keystone!
2.1 Getting DevStack2.2 Basic Keystone Operations Using OpenStackClient2.2.1 Getting a Token2.2.2 Listing Users2.2.3 Listing Projects2.2.4 Listing Groups2.2.5 Listing Roles2.2.6 Listing Domains2.2.7 Creating Another Domain2.2.8 Create a Project within the Domain2.2.9 Create a User within the Domain2.2.10 Assigning a Role to a User for a Project2.2.11 Authenticating as the New User2.3 Basic Keystone Operations Using Horizon2.3.1 What Keystone Operations Are Available through Horizon?2.3.2 Accessing the Identity Operations2.3.3 List, Set, Delete, Create, and View a Project2.3.4 List, Set, Delete, Create, and View a User2.4 Tips, Common Pitfalls, and TroubleshootingCheck Your Scope: A Common Authentication ProblemCheck Your Policy and Role: A Common Authorization ProblemGetting Additional Information
3. Token Formats
3.1 History of Keystone Token Formats3.2 UUID Tokens3.3 PKI Tokens3.4 Fernet Tokens3.5 Tips, Common Pitfalls, and Troubleshooting3.5.1 UUID Token Performance Degradation for Authentication Operations3.5.2 Using PKI Token and Swift or Horizon Not Working?
4. LDAP
4.1 Approach to LDAP Integration4.2 Configuring Keystone to Integrate with LDAP4.2.1 Other Keystone Configuration Options in Classic LDAP Support4.3 Multiple Domains and LDAP4.3.1 Requirements for Multi-Domain Corporate Directory Support4.3.2 Setting Up Multi-Domain Using the Configuration File–Based Approach4.3.3 Setting Up Multi-Domain Using the Keystone API–Based Approach4.3.4 Restrictions When Using Multi-Domain IdentityUse SQL for the Default DomainUse LDAP for All Domains, Except an SQL Service DomainUse LDAP for All Domains4.4 A Practical Guide to Using Multi-Domains and Keystone4.4.1 Setting Up LDAP4.4.2 Running Admin Commands4.4.3 Running LDAP User Commands4.4.4 Authenticating with Horizon4.5 Projects, Roles, and Assignments from LDAP (Just Say NO!)4.6 Tips, Common Pitfalls, and Troubleshooting4.6.1 General LDAP Issues4.6.2 Tips for Using Multi-Domain LDAP
5. Federated Identity
5.1 Approach to Federation5.1.1 Leveraging Existing Technology5.1.2 Keystone-Specific Federation Concepts5.2 Translating User Attributes to Keystone Concepts5.2.1 OpenID Connect Claims5.2.2 SAML Assertions5.2.3 The Mapping Engine5.2.4 Mapping Rules5.3 Authentication Flow: What’s It Look Like?5.4 Single Sign-OnSingle Sign-On Flow5.5 A Practical Guide to Federating Identities for IBM WebSphere Liberty and Bluepages5.5.1 Download, Install, and Configure IBM WebSphere Liberty5.5.2 Configuring Keystone to Use OpenID Connect5.5.3 Testing It All Out5.6 A Practical Guide to Setting Up SSO with Google5.6.1 Configure Keystone to Use OpenID Connect5.6.2 Configure Horizon for Single Sign-On5.6.3 Let’s See It with Screenshots!5.7 Tips, Common Pitfalls, and TroubleshootingEnsure All Libraries Are InstalledKnown Limitations of Social Media LoginsUsing SAML from the Command Line
6. Future Work
6.1 Multi-Factor Authentication6.2 Integration with Horizon for Multi-Region Keystone to Keystone Federation Support6.3 Using LDAP as a Federated Identity Provider6.4 Replacement of Service Users with X.509 Certificates and Barbican Integration6.5 Centralized Policy and Distribution6.6 Integrating with Other Technologies
Index

Content preview from Identity, Authentication, and Access Management in OpenStack

Chapter 1. Fundamental Keystone Topics

In this chapter we provide an introduction to the basic foundations of Keystone. We start with an overview of Keystone Projects and Domains, which are abstractions used to group and isolate resources. We then discuss how Keystone supports Users and User Groups and how Roles can be assigned to Users and User Groups on both a Project and Domain basis. We then introduce how Keystone utilizes Tokens and provides Service Catalogs. Next, we describe Keystone’s Identity service and the types of Identity backends that can be leveraged by Keystone. We then conclude this chapter with in-depth descriptions of Keystone’s Authentication and Access Management (Authorization) capabilities.

1.1 Keystone Concepts

Keystone itself has several concepts that are specific to its model and how it relates to OpenStack as a whole. These are Identity and Authorization related concepts, but their focus is on how Keystone implements Authorization, Access Management, and Discovery.

1.1.1 What’s a Project?

In Keystone, a Project is an abstraction used by other OpenStack services to group and isolate resources (e.g., servers, images, etc.). In the early days of OpenStack, Keystone Projects were originally referred to as Tenants but this was changed to Projects, a more intuitive name for this concept. It is probably fair to say that the most fundamental purpose of Keystone is to be the registry of Projects and to be able to articulate who should have access to those Projects. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Developing Applications with Azure Active Directory: Principles of Authentication and Authorization for Architects and Developers

Manas Mayank, Mohit Garg

Publisher Resources

ISBN: 9781491941249Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design