Preface

Prologue

A key aspect to setting up a cloud, whether it be private, public, or dedicated, is ensuring that access to cloud resources and security are in place. For OpenStack environments, the focal point for securing the cloud is Keystone, OpenStack’s Identity service. Keystone provides many key functions, such as authenticating users and determining what resources users are authorized to access.

Keystone started from humble beginnings. In the early days, it provided basic user management and constructs for organized access to resources. As enterprise customers became more interested in OpenStack, it became readily apparent that Keystone needed significant enhancements to meet the demanding needs of enterprise customers before it would be adopted in the enterprise.

Early enterprise requirements were focused on improving Keystone’s Lightweight Directory Access Protocol (LDAP) and Microsoft’s Active Directory support. Enterprise customers want to reuse their existing identity-management tools and don’t want a separate new identity tool to manage their OpenStack users. Support was added to ensure Keystone could reuse existing LDAPs and Active Directories that were read only and only contained user and group information. Next, secure connections were added so Keystone could connect to LDAP and Active Directories over a TLS connection.

This basic support for ease of integration with existing enterprise identity managers helped OpenStack to distinguish itself from competing cloud infrastructures. It then led to a second phase of advanced enterprise integration where customers demanded support for integration with multiple LDAPs and Active Directories. This feature was critical for large enterprises that, through means such as acquisitions, had multiple identity servers they needed to support. Also as part of this phase, customers started requesting true federated identity support whereby they expected Keystone to integrate with federated identity-management tools that supported well-known and standard identity protocols such as the Security Assertion Markup Language (SAML) and OpenID Connect. Around this time Keystone started to add audit support to better enable it to meet the compliance requirements of many enterprise customers.

With the foundations of federated support, Keystone has moved to its current phase, focusing on federated support for hybrid clouds. With this federation support foundation in place, multiple Keystones can work together using standard federated protocols to support interoperable hybrid clouds. In this book, we describe all of these enhancements. We begin by providing an overview of how to perform basic Keystone operations, and we provide concrete examples using the latest version (v3) of the Keystone Identity API. We then cover Keystone’s support for multiple token formats and describe how its preferred token formats have evolved over time. After we discuss these fundamentals, we move on to advanced topics of LDAP integration and federation. We conclude with a discussion on topics of future work for Keystone.

Conventions Used in This Book

The following typographical conventions are used in this book:

Italic

Indicates new terms, URLs, email addresses, filenames, and file extensions.

Constant width

Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.

Constant width bold

Shows commands or other text that should be typed literally by the user.

Constant width italic

Shows text that should be replaced with user-supplied values or by values determined by context.

Tip

This element signifies a tip or suggestion.

Note

This element signifies a general note.

Warning

This element indicates a warning or caution.

Using Code Examples

This book is here to help you get your job done. In general, if example code is listed in this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Identity, Authentication, and Access Management in OpenStack by Steve Martinelli, Henry Nash, and Brad Topol (O’Reilly). Copyright 2015 Steve Martinelli, Henry Nash, and Brad Topol, 978-1-491-94120-1.”

If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at .

Safari® Books Online

Note

Safari Books Online is an on-demand digital library that delivers expert content in both book and video form from the world’s leading authors in technology and business.

Technology professionals, software developers, web designers, and business and creative professionals use Safari Books Online as their primary resource for research, problem solving, learning, and certification training.

Safari Books Online offers a range of plans and pricing for enterprise, government, education, and individuals.

Members have access to thousands of books, training videos, and prepublication manuscripts in one fully searchable database from publishers like O’Reilly Media, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, Course Technology, and hundreds more. For more information about Safari Books Online, please visit us online.

How to Contact Us

Please address comments and questions concerning this book to the publisher:

  • O’Reilly Media, Inc.
  • 1005 Gravenstein Highway North
  • Sebastopol, CA 95472
  • 800-998-9938 (in the United States or Canada)
  • 707-829-0515 (international or local)
  • 707-829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at http://www.oreilly.com/catalog/0636920045960.

To comment or ask technical questions about this book, send email to .

For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com.

Find us on Facebook: http://facebook.com/oreilly

Follow us on Twitter: http://twitter.com/oreillymedia

Watch us on YouTube: http://www.youtube.com/oreillymedia

Acknowledgments

We would like to thank the entire OpenStack Keystone community for their passion, dedication, and tremendous commitment to the Keystone project. Without the code developers, code reviewers, and operators contributing to the project over the years, Keystone would not have the rich feature set and large adoption it has today.

We would also like to thank our OpenStack Keystone colleagues, Dolph Mathews, Morgan Fainberg, Brant Knudson, Lance Bragstad, Jamie Lennox, David Stanek, Adam Young, Joe Heck, Marek Denis, Nathan Kinder, and Lin Hua Cheng for the wonderful collaboration over the years.

A very special thanks to Dr. Angel Luis Diaz, Todd Moore, and Vince Brunssen for all of their support and encouragement during this endeavor.

—Steve, Henry, and Brad

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.198.43