Table of Contents
As I have mentioned in my previous blog, in the next blog we will cover remaining topics related to the Keystone like its identity service and different types of identity backends. We will also be discussing the capabilities of authentication and authorization of keystone.
As mentioned earlier, Actors are provided by the Identity Service. From various locations, these identities present in the cloud come but they are not restricted to SQL, Associated Identity Providers and LDAP.
Let’s discuss these in detail one by one:
As we have already discussed, Keystone consists of various options for storing actors i.e. users and groups and one of them is the SQL, which provides support through databases that involve MySQL, PostgreSQL, and DB2. The configuration file of the Keystone should contain the settings for the databases, as it also stores the information like name, password as well as the description. For enterprise customers, Keystone acting as an Identity Provider is not considered as the best condition.
Advantages of utilizing SQL identity option:
1. Easily setup.
2. OpenStack APIs are used for managing the users and the user groups.
Disadvantages of utilizing SQL identity option:
It is possible for the Keystone to revoke as well as store the users and the user groups in Lightweight Directory Access Protocol because Keystone can fetch the LDAP in the similar way some other applications use it like Email, logging in to system and web applications.
As mentioned earlier, the settings required for connecting to the LDAP are mentioned in the configuration file of the Keystone. This file also contains the information that, it is possible for the Keystone to write to the LDAP or whether it can only read the LDAP data. Preferably it is considered that LDAP should execute the read operations only like user and the user group lookup through search and also the authentication through bind.
Keystone requires fewer amounts of privileges for using the LDAP if LDAP is used only as a read-only identity backend. For example, The Keystone requires the read privilege for the user and the user group attributes which are specified in the Keystone’s configuration file i.e. keystone.conf, it also requires anonymous access i.e. an unprivileged account and the access to the password hashes is not required for the Keystone.
LDAP identity option also has some advantages and disadvantages as mentioned below:
Advantages:
Disadvantages:
The multiple identity backends for the V3 Identity API are supported by the Keystone due to which an arrangement can have only one backend or the identity source for each keystone domain. SQL backend is the default domain and it is normally used for host service accounts, which are the accounts that are used by different OpenStack services for interacting with the Keystone.
It is possible to host different additional LDAP backend in their personal domain. The inspiration behind supporting multiple identity backends is that the LDAP administrators could not be the same organization like the OpenStack deployment team in an enterprise setting, therefore, constructing service accounts in the LDAP is mostly unexpected.
It is found that LDAP is mostly limited to be used just for employee information. It is now possible to use multiple LDAPs due to the advantage of a systematical separation between domain and the identity backends. Therefore in the situation of a company merger or if the different LDAPs are used by the different departments then also it will represent the same enterprise.
Advantages:
Disadvantages:
For more than one dependable identity providers it is possible for the Keystone to use up associated authentication through Apache modules. Keystone stores these users and these users are treated as temporary. The users who are associated, their attributes are linked into role assignments which are group based. If considered from the point of view of the Keystone, an identity provider is an origin of identities which may direct to the software which is supported by different backends like MongoDB, LDAP, etc. or by different Social media logins like Facebook, Twitter, etc.
Especially, an Identity provider is software, for example, Tivoli Federated Identity Manager by IBM, which extracts the backends and converts the different attributes of the user into the format of a commonly associated identity protocol like SAML, etc. This connects very well with the Keystone’s higher plan of offloading the authentication and related to the identity parts of a service which previously carries out in an enterprise.
The identity provider approach offers many advantages and minimum disadvantages. These are as follows:
Advantages:
Disadvantages:
As mentioned earlier, for authenticating with the Keystone service, different ways are used and undoubtedly there are two most popular ways are:
1. providing the password and
2. with the help of token.
Here we are emphasizing these two ways of authentication with the help of presenting the data needed in a Keystones’ POST request and also their normal movement between the user, Keystone, and additional OpenStack services.
Providing a password is the most popular method used by a user or a service for authentication. Below we have shown a payload which is just an example POST request to the Keystone. This information is about the complete payload which will be useful to the readers so that they will identify the information which is required for authentication.
It is important to remember that the payload related to the request should consist of sufficient information to locate where does the user exists, how to authenticate the user and alternatively, on the basis of the user’s permissions based on the project revoke the service catalog.
The succeeding user must have domain related information like either the domain name or the ID so that the user section will identify him, or the users’ widely distinct ID can be used in this scenario which is enough for identifying the user. It is allowed because, in more than one domain installment, it may be possible that there is more than one user with similar names, so appropriate observation is required to check which user is authenticated.
As mentioned already, the scope section is optional but still, it is used often because a user will not be capable of retrieving a service catalog without the scope and it also represents which project the user wants to work up against. The request gets rejected if the user doesn’t have any role on that specific project.
Same as the user section, the scope section should have sufficient information regarding the project for identifying it therefore also the differences throughout the domain. Also, we have already seen that the project ID is always unique and if that is specified then the domain information is not required.
Same as above, it is possible for a user to request a new token by allotting the existing token. As compared to the password equivalent, the payload of token POST request involves minimum code. Different reasons are there for why a token would be used for revoking another like if a token will soon expire then it needs to be refreshed or for changing an unscoped token into a scoped token.
One of the important reasons for Keystone being important to the OpenStack is controlling access and authorizing which APIs can be used by a user. How the Keystone deals with this problem are by creating an RBAC i.e. Role-based Access Control policy which is being imposed on every endpoint of public API. A file named policy.json stores these RBAC policies on the disk.
Let’s better understand this concept, with an example:
The left-hand key is referred to as a target and the right-hand value is referred to rules. The targets are stated at the top of the file which is used for estimation of different targets and here only we describe what is an admin, an owner or anyone.
The rule that controls the API starts with “identity:” and states a secured controller.
For securing the new targets, we take help of already setup targets.
We use the already established targets to protect the new targets. It is necessary to know the minute difference between categorizing all the projects and categorizing only a user’ projects i.e. categorizing all projects must be an admin only operation and the policy associated with it is written as per that. Categorizing all the projects a user has permission to, must not be limited only to the admins, but also to the user which has a role related to that project.
The identity backends and services are summarized in the following picture, in which the green part denotes the backends which are normally SQL, the pink part indicates backends which are normally LDAP or SQL, the blue part indicates SQL or Memcache and at last, the policy is served from a file. These are the most popularly used Keystone services, regardless of these services, there are some other Keystone services.
Also read:-
Due to growing digitalization, Email Communication has become the backbone of professional interactions. Yet, surprisingly, many professionals struggle to craft…
As the digital landscape continues to evolve, securing your website has never been more crucial. SSL, or Secure Sockets Layer,…
As a web designer and web developer your experience must have reached to new height, right? Further, you need to…
In today's digital landscape, timing is everything. Whether you're a social media manager, business owner, or content creator, the success…
Are you a website owner? Maintaining the website is the prime concern for any website owner. Yes, it’s equally important…
View Comments