What's new in Havana--Keystone

of 7 /7
What’s New In OpenStack Havana Webcast October 2013

Embed Size (px)

description

Part of the "What's New in Havana" Webinar, these slides show what's new in Keystone.

Transcript of What's new in Havana--Keystone

Page 1: What's new in Havana--Keystone

What’s New In OpenStack Havana

Webcast October 2013

Page 2: What's new in Havana--Keystone

OpenStack Identity Service

Keystone

36

Page 3: What's new in Havana--Keystone

Keystone

Role-based Access Control (RBAC)

•  More granular policies

•  Can be based on aspects of the request such as API request parameters

"identity:delete_user": [["role:admin", \

"domain_id:%(target.user.domain_id)s"]]

37

Page 4: What's new in Havana--Keystone

Keystone

Role handling

•  Assign roles via OAuth 1.0a

•  Domain roles can be inherited from project

•  Group API

38

Page 5: What's new in Havana--Keystone

Keystone

Separate projects etc. from authentication

•  Projects, roles, etc. follow “assignments” driver

•  Users, groups, etc. follow “identity” driver

•  Credentials follow “credentials” driver

[identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment 39

Page 6: What's new in Havana--Keystone

Keystone

Token generation

•  Currently PKI or UUID

•  Can now be pluggable

•  keystone.token.provider.Provider interface can be custom implemented

40

Page 7: What's new in Havana--Keystone

Keystone

Remote handling of authentication through REMOTE_USER

•  Sent by the web server as an environment variable

•  Can be disabled (remove "external" from plug-ins list)

41