What's new in Havana--Keystone
-
Upload
mirantis -
Category
Technology
-
view
2.493 -
download
1
description
Transcript of What's new in Havana--Keystone
What’s New In OpenStack Havana
Webcast October 2013
OpenStack Identity Service
Keystone
36
Keystone
Role-based Access Control (RBAC)
• More granular policies
• Can be based on aspects of the request such as API request parameters
"identity:delete_user": [["role:admin", \
"domain_id:%(target.user.domain_id)s"]]
37
Keystone
Role handling
• Assign roles via OAuth 1.0a
• Domain roles can be inherited from project
• Group API
38
Keystone
Separate projects etc. from authentication
• Projects, roles, etc. follow “assignments” driver
• Users, groups, etc. follow “identity” driver
• Credentials follow “credentials” driver
[identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment 39
Keystone
Token generation
• Currently PKI or UUID
• Can now be pluggable
• keystone.token.provider.Provider interface can be custom implemented
40
Keystone
Remote handling of authentication through REMOTE_USER
• Sent by the web server as an environment variable
• Can be disabled (remove "external" from plug-ins list)
41