integrating keystone with large scale centralized
play

Integrating Keystone with Large-scale Centralized Authentication - PowerPoint PPT Presentation

Dec 11, 2023 •554 likes •870 views

Integrating Keystone with Large-scale Centralized Authentication Ken Holden Chris Janiszewski OpenStack Solutions Architect OpenStack Solutions Architect kholden@redhat.com chris.openstack@redhat.com blog: holdenthecloud.com blog:

  1. Integrating Keystone with Large-scale Centralized Authentication Ken Holden Chris Janiszewski OpenStack Solutions Architect OpenStack Solutions Architect kholden@redhat.com chris.openstack@redhat.com blog: holdenthecloud.com blog: chrisj.cloud

  2. Agenda Level set ● Benefits ● Issues and Bottlenecks ● Best Practices ● Tuning and Results ●

  3. Level Set Authentication and Authorization ● Keystone ● Tokens ● LDAP ● Domains ● Kerberos and SSO ●

  4. Authentication and Authorization Keystone (OpenStack Identity Service) ● Methods of Authentication ● Authorization tokens ● Transport Layer Security (TLS) with X.509 ●

  5. Keystone .. provides identity, token, catalog, and policy services for use specifically by services in the OpenStack family Features: External authentication ● Federation ● Multi-factor authentication ● Considerations: Invalid login attempts ● No enforcement policies on password strength, expiration ●

  6. Tokens generated for authorization and access ● default value for expiry is one hour ● often passed within the structure of a larger ● context Token types: ● UUID ○ PKI and PKIZ ○ FERNET ○

  7. LDAP The Lightweight Directory Access Protocol ● (LDAP) - is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network LDAP simplifies integration of Identity ● authentication Identity service MUST NOT be allowed to write ● to LDAP services

  8. Domains Keystone V2 Keystone V3 * *Pictures found on Matt’s Dorn Blog - http://madorn.com/keystone-v3-api.html#.WwM2hXWUvgk

  9. Kerberos Keystone can now be executed in a web ● server like Apache HTTPD The Kerberos ticket-granting ticket can ● be used to securely provide tickets for a given service Web server handle authentication is not ● exclusive Web server can provide support for X.509 ● or Kerberos authentication Keystone provides support for password ● authentication (with SQL or LDAP)

  10. Identity Service: Authentication Mechanisms Carnival Ticket Booth vs. Kerberos (server) TGT Grants a ticket called a ● Ticket Granting Ticket (TGT) which says which services you have access to. This ticket also has an expiration called a Time-To-Live (TTL). You present the TGT to the ● service you want access to and the service will use that to determine if you can access the service.

  11. LDAP Benefits Consolidated repository ● Simplified management ● Ideal for multiple OpenStack Deployments with ● shared resources Performance of LDAP vs SQL ● SSL/TLS ● Back-end database flexibility ● Well-defined client API ● Decoupling of the roles ●

  12. LDAP Considerations Few people understand LDAP ● No writes allowed ● Is OpenStack a front end for your users? ● Very strict schema ● Performance considerations ●

  13. Issues and Bottlenecks Token Performance ● LDAP Size ● Database ● Horizon Dashboard ● LDAP response ●

  14. Generally a good idea NOT to... Enable Debug and Verbosity - Impact can be significant ● Use slow hard drives for Controller’s OS and Databases ● Use non-secured APIs, Dashboard, and LDAP queries ●

  15. Tokens The faster you can request tokens, the faster OpenStack responds ● Fernet tokens offer superior performance over UUID ●

  16. Just say No to UUID Who remembers the good old days when OpenStack started to crawl ? # du -sh /var/lib/mysql/keystone 149G /var/lib/mysql/keystone MariaDB [keystone]> select count(*) from token; +----------+ | count(*) | +----------+ | 20717136 | Number of UUID tokens +----------+

  17. Where do I query? Active Directory DNS: Use Domain Name ● url = ldaps://example.com Or obtain a list of Domain Controllers from DNS via SRV Records dig -t SRV _ldap.tcp.example.com LDAP: list multiple LDAP servers ● url = ldaps://ldap1,ldaps://ldap2

  18. Limit number of LDAP records Do all 100,000+ users REALLY need access to OpenStack? ● Keystone doesn’t always cleanup after itself ● MariaDB [keystone]> select count(*) from id_mapping; +----------+ | count(*) | +----------+ | 129052 | Number of LDAP Accounts without filtering +----------+ MariaDB [keystone]> select count(*) from id_mapping; +----------+ | count(*) | +----------+ | 129052 | Number doesn’t decrease when adding filtering later +----------+

  19. LDAP - Filtering Filtering users and groups ● user_filter = (&(|(memberOf=CN=OpenStack-Admins)(memberOf=CN=OpenStack-Users))) group_filter = (&(objectClass=Group)(&(|(cn=OpenStack)(cn=OpenStack-Admins)(cn=OpenSt ack-Users)))) Using AND / OR ● (&(|(memberOf=foo)(memberOf=bar))) (&(memberOf=for)(memberOf=bar)) Active Directory Nested groups ● (memberOf:1.2.840.113556.1.4.1941:=cn=OpenStack)

  20. ldapsearch Member of group1 OR group2 ● ldapsearch -LLL -H ldap://example.com -E pr=2/noprompt -b 'dc=example,dc=com' -D 'example\USER' -w PASSWORD '(&(|(memberOf=CN=OpenStack-Admins)(memberOf=CN=OpenStack-Users)))' Member of group1 AND group2 ● ldapsearch -LLL -H ldap://example.com -E pr=2/noprompt -b 'dc=example,dc=com' -D 'example\USER -w PASSWORD '(&(memberOf=CN=OpenStack-Admins)(memberOf=CN=OpenStack-Users))' Members of Active Directory Nested Group ● ldapsearch -LLL -H ldap://example.com -E pr=2/noprompt -b 'dc=example,dc=com' -D 'example\USER -w PASSWORD '(&(objectClass=organizationalPerson)(sAMAccountName=*)(memberOf: 1.2.8 40.113556.1.4.1941 :=cn=OpenStack))'

  21. LDAP Tuning - Pagination Default value is 0 which disables paging $ ldapsearch -LLL -H ldap://ldapserver.domain.com \ -b ' dc=domain,dc=com ' -D ' DOMAIN\USERNAME ' \ -w PASSWORD |grep sAMAccountName |wc -l Size limit exceeded (4) 825 $ ldapsearch -LLL -H ldap://ldapserver.domain.com \ -E pr=1/noprompt -b ' dc=domain,dc=com ' \ -D ' DOMAIN\USERNAME ' \ -w PASSWORD |grep sAMAccountName |wc -l 10052

  22. LDAP Debug View how keystone queries LDAP by enabling debug ● crudini --set keystone.conf ldap debug_level 3 crudini --set keystone.conf DEFAULT insecure_debug true crudini --set keystone.conf DEFAULT debug true # restart keystone Watch the magic... ● tail -f /var/log/keystone/keystone.log | grep LDAP\ search filterstr=(&(sAMAccountName=kholden)(&(|(memberOf=CN=OpenStack-Admins,OU=People, DC=lab,DC=lan)(memberOf=CN=OpenStack-Users,OU=People,DC=example,DC=com)))(object Class=person)) attrs=['sAMAccountName', 'userPassword', 'userAccountControl', 'mail', 'description'] attrsonly=0 Disable debug when done ●

  23. Keystone Pooling Keystone Pooling ● Decrease load on Domain Controller especially with TLS ○ Separate pool for User Authentication ○ use_auth_pool requires use_pool enabled ○ crudini --set keystone.DOMAIN.conf ldap use_pool True crudini --set keystone.DOMAIN.conf ldap pool_size 200 crudini --set keystone.DOMAIN.conf ldap pool_retry_max 20 crudini --set keystone.DOMAIN.conf ldap pool_retry_delay 0.1 crudini --set keystone.DOMAIN.conf ldap pool_connection_timeout -1 crudini --set keystone.DOMAIN.conf ldap pool_connection_lifetime 600 crudini --set keystone.DOMAIN.conf ldap use_auth_pool True crudini --set keystone.DOMAIN.conf ldap auth_pool_size 1000 crudini --set keystone.DOMAIN.conf ldap auth_pool_connection_lifetime 60 # restart keystone

  24. Keystone Caching Enable Keystone Caching with memcached backend ● systemctl enable memcached && systemctl start memcached crudini --set keystone.conf cache enabled true crudini --set keystone.conf cache backend dogpile.cache.memcached crudini --set keystone.conf cache backend_argument url: LOCAL_IP :11211 crudini --set keystone.conf catalog caching true crudini --set keystone.conf domain_config caching true crudini --set keystone.conf federation caching true crudini --set keystone.conf revoke caching true crudini --set keystone.conf role caching true crudini --set keystone.conf token caching true crudini --set keystone.conf token cache_on_issue true crudini --set keystone.conf identity caching true crudini --set keystone.conf identity cache_time 600 # restart keystone

  25. Results

  28. Meanwhile, in the real world... Challenges with Implementation ● Proxies in front of Domain Controllers ○ Firewalled Domain Controllers ○ Omitted Distinguished Names to save licensing costs ○ Service Account Password Change ○ Certificate / CA change ○ Changes require keystone restart ○ Fernet Token rotation ○ The Defiant Windows Admin ○

  29. Multi-site Multiple OpenStack Environments with One LDAP ● Unique IDs for roles, Domains, and Projects are unique to each ○ site Determine Project, Domain and Role IDs from one site and ○ update other sites with same IDs (BACKUP DB FIRST) select * from project where name='PROJECT_NAME'; select * from project where name='DOMAIN_NAME'; select * from project where name='ROLE_NAME'; update project set id='SITE1_PROJECT_ID' where name='PROJECT_NAME'; update project set id='SITE1_DOMAIN_ID' where name='DOMAIN_NAME'; update project set id='SITE1_ROLE_ID' where name='ROLE_NAME';

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Integrating national items into questionnaires of international large scale studies: The case

Integrating national items into questionnaires of international large scale studies: The case

10 13 September, 2018, Penang, Malaysia Capacity development workshop Conceptualization, Measurement and Use of Contextual Data Integrating national items into questionnaires of international large scale studies: The case of Iran Dr.

217 views • 17 slides
A Decentralized Solution for Integrating Large Scale UAS Operations into Future Aviation System

A Decentralized Solution for Integrating Large Scale UAS Operations into Future Aviation System

ICAO DRONE ENABLE/2 Symposium Chengdu, China September 13, 2018 White Paper Presentation A Decentralized Solution for Integrating Large Scale UAS Operations into Future Aviation System Presentation is Developed in Technical Collaboration with

269 views • 8 slides
SoilTrEC Soil Transformations in European Catchments Coordinating Action: Large-Scale Integrating

SoilTrEC Soil Transformations in European Catchments Coordinating Action: Large-Scale Integrating

SoilTrEC Soil Transformations in European Catchments Coordinating Action: Large-Scale Integrating Project Grant Agreement No. 244118 Coordinator: Steve Banwart, U. Sheffield, UK and Prof. Nikolaos Nikolaidis, Technical U. Crete SoilTrEC

455 views • 29 slides
Seamlessly Integrating Software & Hardware Modelling for Large-Scale Systems Toby Myers,

Seamlessly Integrating Software & Hardware Modelling for Large-Scale Systems Toby Myers,

Seamlessly Integrating Software & Hardware Modelling for Large-Scale Systems Toby Myers, Peter Fritzson and R. Geoff Dromey Overview The Software-Hardware Integration Problem A Brief Introduction to Behavior Engineering

577 views • 26 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Matching Using LSH Forest Michael Cochez * 1st International KEYSTONE Conference * Industrial

Matching Using LSH Forest Michael Cochez * 1st International KEYSTONE Conference * Industrial

Balanced Large Scale Knowledge Matching Using LSH Forest Michael Cochez * 1st International KEYSTONE Conference * Industrial Ontologies Group, Vagan Terziyan * University of Jyvskyl (Finland), Vadim Ermolayev ** michael.cochez@jyu.fi IKC

592 views • 36 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E. Santos-Neto, L. Costa, M. Ripeanu. IEEE TPC, 2014 Sami (sa894) - R244: Large-scale data processing and optimization Efficient Large-Scale Graph Processing on

381 views • 25 slides
BREEAM Communities Integrating sustainability into masterplanning Part of the BRE Trust

BREEAM Communities Integrating sustainability into masterplanning Part of the BRE Trust

Protecting People, Property and the Planet BREEAM Communities Integrating sustainability into masterplanning Part of the BRE Trust BREEAM Communities is A standard to improve the design of large-scale developments An holistic

313 views • 7 slides
Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Census: Location-Aware Membership Management for Large-Scale Distributed Systems James Cowling Dan R. K. Ports Barbara Liskov Raluca Ada Popa Abhijeet Gaikwad* MIT CSAIL *cole Centrale Paris Motivation Large-scale distributed systems

606 views • 48 slides
Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale electronic voting protocol: Primarily Internet-based Users voting from their own devices (such as home PC/laptop) Aimed toward actual

721 views • 21 slides
Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame

Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame

Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame Yahiaoui Outlook BGP: Border Gateway Protocol Large Scale Simulation: motivations Large Scale BGP Simulation Model Realistic Topologies

550 views • 17 slides
Dalma Capital Dalma Investment Banking Services Presentation October 2018 1 Dalma Investment

Dalma Capital Dalma Investment Banking Services Presentation October 2018 1 Dalma Investment

Dalma Capital Dalma Investment Banking Services Presentation October 2018 1 Dalma Investment Banking Services Overview 2 Dalma Capital Management Limited Dalma Capital is a global alternative investment platform and accelerator for alpha

483 views • 19 slides
Mobile Ticketing for All Transit Agencies By Sam Daly Founder, Token Transit Presentation

Mobile Ticketing for All Transit Agencies By Sam Daly Founder, Token Transit Presentation

Mobile Ticketing for All Transit Agencies By Sam Daly Founder, Token Transit Presentation Overview 1- Why mobile ticketing 2- Mobile ticketing launch learnings 3- Case Studies from Reno, Humboldt County and Lincoln, NE Dispel a few questions

435 views • 30 slides
Contextual Access and Multi-Factor Authentication Lessons learned on getting past single-factor

Contextual Access and Multi-Factor Authentication Lessons learned on getting past single-factor

Conference 2018 Contextual Access and Multi-Factor Authentication Lessons learned on getting past single-factor authentication! Panelists Corey Scholefield - Team Lead, Identity Services Wendy Blake Director, Network and Technical Services

519 views • 33 slides
dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh,

dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh,

dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh, November 2007 Nov 13-14, 2007, Edinburgh SRM 2.2 Workshop 1 Project Topology : The Team Head of dCache.ORG Head of Development FNAL : Timur

281 views • 11 slides
w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

Aditus Luxury Access Platform for Crypto A ffl uents Presentation 21 Nov 2017 w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals Crypto-currency values have been the best performing asset class

206 views • 19 slides
SUSE Manager Under the Hood Silvio Moioli, Developer, moio@suse.com Ral Osuna

SUSE Manager Under the Hood Silvio Moioli, Developer, moio@suse.com Ral Osuna

SUSE Manager Under the Hood Silvio Moioli, Developer, moio@suse.com Ral Osuna Snchez-Infante, Technical Support Engineer, rosuna@suse.com Silvio Moioli Ral Osuna Snchez-Infante Developer Technical Support Engineer Good morning, my

838 views • 39 slides
Karma Economy of Trust What is Karma? A platform

Karma Economy of Trust What is Karma? A platform

Karma Economy of Trust What is Karma? A platform for creating social and economic interaction between people all over the world: from pawnshop to charity, from loans to direct exchange of goods

402 views • 18 slides
These slides: https: / / www.grc.com/ sqrl-presentation.pdf Robust Pseudonymous Identity for the

These slides: https: / / www.grc.com/ sqrl-presentation.pdf Robust Pseudonymous Identity for the

These slides: https: / / www.grc.com/ sqrl-presentation.pdf Robust Pseudonymous Identity for the Internet (A Practical Username & Password Replacement) S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual

668 views • 51 slides

More recommend