原文链接: https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/

The latest stable release of OpenStack, codenamed Grizzly, revolutionizes the way user authentication works. You

may have read some of the few articles available on this new authentication scheme. This post attempts to capture

the full scope of this new feature. It focuses not on how Keystone issues tokens but rather the later stage, where

existing tokens are used by clients to sign their API calls. These requests are later validated by OpenStack API

endpoints. You’ll see first why you need tokens and then how PKI tokens can be used by OpenStack API endpoints

to conduct user token verification without explicit calls to Keystone. We begin by explaining how clients connect to

OpenStack.

OpenStack, APIs, and clients

So where does OpenStack begin and end? The users will say that it’s their cloud GUI or CLI. From the architectural

perspective, however, OpenStack middleware ends on its API endpoints: nova-api, glance-api, and so on—they all

expose their APIs over http. You can connect to these APIs using different clients. Clients can be either certified by

a cloud vendor and deployed on its infrastructure (for example, a Horizon instance) or installed anywhere else (a

python-novaclient installed on any laptop, pointing to a remote nova-api).

This boundary implies one important condition. Since the clients can reside anywhere, they cannot be trusted. Any

request coming from them to any OpenStack API endpoint needs to be authenticated before it can be processed

further.

Tokens—what they are and why you need them

So what do you have to do in this case? Does that mean you should supply each single API request with a

username and password? Not so easy. Or maybe store them in some environment variables? Insecure. The answer

to this is tokens. Tokens have one significant plus: they are temporary and short lived, which means it is safer to

cache them on clients than username/password pairs.

In general, a token is a piece of data given to a user by Keystone upon providing a valid username/password

combination. As said above, what is closely related to a token is its expiration date (which typically is hours or even

minutes). The user client can cache the token and inject it into an OpenStack API request. The OpenStack API

endpoints take the token out of user requests and validate it against the Keystone authentication backend, thereby

confirming the legitimacy of the call.

We’ll now turn your attention to two token approaches—Universally Unique IDentifier (UUID) and Public Key

Infrastructure (PKI) tokens—and their evolution, so to speak.

UUID tokens (Folsom and older)

The diagram below shows how tokens were originally generated by Keystone and then used by the client to “sign”

every subsequent API request.

Based on supplied username/password pair (we assume it’s correct in this scenario and on the diagram):

  • Keystone would:

    • Generate a UUID token.
    • Store the UUID token in its backend.
    • Send a copy of the UUID token back to the client.
  • The client would cache the token.
  • The UUID would be then passed along with each API call by the client.
  • Upon each user request, the API endpoint would send this UUID back to Keystone for validation.
  • Keystone would take the UUID and match it against its auth backend (check UUID string, expiration date).
  • Keystone would return “success” or “failure” message to the API endpoint.

As you can see from the above diagram, for each user call the API endpoints need to conduct online verification

with the Keystone service. Imagine thousands of clients performing VM listings, network creation, and so on. This

activity results in extensive traffic to the Keystone service. In fact, in production, Keystone proves to be one of the

most loaded OpenStack services on the network side, but Grizzly gets rid of this problem quite nicely.

Enter PKI tokens.

PKI tokens (Grizzly and on)

The diagram below shows how token validation is performed with the new method introduced in OpenStack’s

Grizzly release.

In general terms, with PKI tokens, Keystone is becoming a Certificate Authority (CA). It uses its signing key and

certificate to sign (not encrypt) the user token.

On top of that, each API endpoint holds a copy of Keystone’s:

  • Signing certificate
  • Revocation list
  • CA certificate

The API endpoints use these bits to validate the user requests. There is no need for direct request to Keystone with

each validation. What is verified instead is the signature Keystone puts on the user token and Keystone’s

revocation list. API endpoints use the above data to carry out this process offline.

PKI tokens under the hood

To use PKI tokens in Grizzly, we need to generate all the keys and certs. We can do that using the following

command:

keystone-manage pki_setup

This command generates the following files:

  • CA private key

    openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 1024 -config /etc/keystone/ssl/certs/openssl.conf
  • CA certificate 
    openssl req -new -x509 -extensions v3_ca -passin pass:None -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
  • Signing private key
  • openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 1024 -config /etc/keystone/ssl/certs/openssl.conf
  • Signing certificate 
    openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -nodes -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
    
openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -infiles /etc/keystone/ssl/certs/req.pem

Token generation and format

With PKI, Keystone now uses Cryptographic
Message Syntax (CMS). Keystone produces CMS token out of the

following data:

  • Service catalog
  • User roles
  • Metadata

An example of the input data follows:

{

   "access": {

       "metadata": {

           ....metadata goes here....

       },

       "serviceCatalog": [

           ....endpoints goes here....

       ],

       "token": {

           "expires": "2013-05-26T08:52:53Z",

           "id": "placeholder",

           "issued_at": "2013-05-25T18:59:33.841811",

           "tenant": {

               "description": null,

               "enabled": true,

               "id": "925c23eafe1b4763933e08a4c4143f08",

               "name": "user"

           }

       },

       "user": {

           ....userdata goes here....

       }

   }

}

The CMS token is just the above metadata in CMS format, signed with Keystone’s signing key. It typically takes the

form of a lengthy, seemingly random string:

MIIDsAYJKoZIhvcNAQcCoIIDoTCCA50CAQExCTAHBgUrDgMCGjCCAokGCSqGSIb3DQEHAaCCAnoEggJ2ew0KICAgICJhY2Nlc3MiOiB7DQogICAgICAgICJtZXRhZGF0YSI6IHsNCiAgICAgICAgICAgIC4uLi5tZXRhZGF0YSBnb2VzIGhlcmUuLi4uDQogICAgICAgIH0sDQogICAgICAgICJzZXJ2aWNlQ2F0YWxvZyI6IFsNCiAgICAgICAgICAgIC4uLi5lbmRwb2ludHMgZ29lcyBoZXJlLi4uLg0KICAgICAgICBdLA0KICAgICAgICAidG9rZW4iOiB7DQogICAgICAgICAgICAiZXhwaXJlcyI6ICIyMDEzLTA1LTI2VDA4OjUyOjUzWiIsDQogICAgICAgICAgICAiaWQiOiAicGxhY2Vob2xkZXIiLA0KICAgICAgICAgICAgImlzc3VlZF9hdCI6ICIyMDEzLTA1LTI1VDE4OjU5OjMzLjg0MTgxMSIsDQogICAgICAgICAgICAidGVuYW50Ijogew0KICAgICAgICAgICAgICAgICJkZXNjcmlwdGlvbiI6IG51bGwsDQogICAgICAgICAgICAgICAgImVuYWJsZWQiOiB0cnVlLA0KICAgICAgICAgICAgICAgICJpZCI6ICI5MjVjMjNlYWZlMWI0NzYzOTMzZTA4YTRjNDE0M2YwOCIsDQogICAgICAgICAgICAgICAgIm5hbWUiOiAidXNlciINCiAgICAgICAgICAgIH0NCiAgICAgICAgfSwNCiAgICAgICAgInVzZXIiOiB7DQogICAgICAgICAgICAuLi4udXNlcmRhdGEgZ29lcyBoZXJlLi4uLg0KICAgICAgICB9DQogICAgfQ0KfQ0KMYH/MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASBgEh2P5cHMwelQyzB4dZ0FAjtp5ep4Id1RRs7oiD1lYrkahJwfuakBK7OGTwx26C+0IPPAGLEnin9Bx5Vm4cst/0+COTEh6qZfJFCLUDj5b4EF7r0iosFscpnfCuc8jGMobyfApz/dZqJnsk4lt1ahlNTpXQeVFxNK/ydKL+tzEjg

The command used for this is:

openssl cms -sign -signer /etc/keystone/ssl/certs/signing_cert.pem -inkey /etc/keystone/ssl/private/signing_key.pem -outform PEM -nosmimecap -nodetach -nocerts -noattr

Token verification and expiration

As the diagram shows, PKI tokens enable Openstack API endpoints to conduct offline verification of token validity

by checking Keystone’s signature.

Three things should be validated:

  • Token signature
  • Token expiration date
  • Whether the token has been deleted (revoked)

CHECKING TOKEN SIGNATURE

In order to do check the signature, all of the API endpoints need Keystone certs. These files can be obtained

directly from the Keystone Service:

curl http://[KEYSTONE IP]:35357/v2.0/certificates/signing

curl http://[KEYSTONE IP]:35357/v2.0/certificates/ca

If the API service cannot find these files on its local disk, it will automatically download them from Keystone. The

following command is used to verify the signature on the token:

openssl cms -verify -certfile /tmp/keystone-signing-nova/signing_cert.pem -CAfile /tmp/keystone-signing-nova/cacert.pem -inform PEM -nosmimecap -nodetach -nocerts -noattr < cms_token

If the signature is valid, the above command returns the metadata contained in CMS, which is further consumed by

the API endpoint.

CHECKING TOKEN EXPIRATION DATE

One of the extracted metadata fields is token’s expiration date, which is compared against current time.

HANDLING DELETED TOKENS

The deletion of tokens is enforced by putting a given token onto a revocation list within the Keystone CA. By

default, this list is being updated (pulled from Keystone) by API endpoints every second from the following URL:

curl http://[KEYSTONE IP]:35357/v2.0/tokens/revoked

The form of the list is a plain json file:

{

   "revoked": [

       {

           "expires": "2013-05-27T08:31:37Z",

           "id": "aef56cc3d1c9192b0257fba1a420fc37"

       }


   ]

}

While “expires” field does not
need further explanation, the “id” field looks somewhat cryptic. It is the md5 hash

calculated out of the CMS user token: md5(cms_token).
API endpoints also calculate md5 hashes out of CMS

token received with user requests and search the matching md5-s on the “revoked
list. If no match is found, then

the token is considered to be valid.

Summary

OpenStack API endpoints can use PKI tokens to conduct user token verification without explicit calls to Keystone.

This can positively impact Keystone performance in the case of large installations where the number of user calls to

OpenStack APIs can be overwhelming. One caveat, however: PKI does not guarantee privacy of the tokens. It is

only used for signing, and not encryption. If you want to prevent tokens from being hijacked, you should secure all

of the API endpoints using the HTTPS protocol.

理解OpenStack认证:Keystone PKI的更多相关文章

  1. [转]Understanding OpenStack Authentication: Keystone PKI

    The latest stable release of OpenStack, codenamed Grizzly, revolutionizes the way user authenticatio ...

  2. Understanding OpenStack Authentication: Keystone PKI

    The latest stable release of OpenStack, codenamed Grizzly, revolutionizes the way user authenticatio ...

  3. OpenStack中Keystone的基本概念理解

    原文http://www.kankanews.com/ICkengine/archives/10788.shtml Keystone简介 Keystone(OpenStack Identity Ser ...

  4. 理解 OpenStack + Ceph (5):OpenStack 与 Ceph 之间的集成 [OpenStack Integration with Ceph]

    理解 OpenStack + Ceph 系列文章: (1)安装和部署 (2)Ceph RBD 接口和工具 (3)Ceph 物理和逻辑结构 (4)Ceph 的基础数据结构 (5)Ceph 与 OpenS ...

  5. OpenStack之Keystone模块

    一.Keystone介绍 OpenStack Identity(Keystone)服务为运行OpenStack Compute上的OpenStack云提供了认证和管理用户.帐号和角色信息服务,并为Op ...

  6. 003-官网安装openstack之-keystone身份认证服务

    以下操作均在控制节点进行 1.控制节点安装keystone服务 概念理解: Keystone是OpenStack框架中,负责身份验证.服务规则和服务令牌的功能, 它实现了OpenStack的Ident ...

  7. openstack核心组件——keystone身份认证服务(5)

    云计算openstack核心组件——keystone身份认证服务(5) 部署公共环境 ntp openstack mariadb-server rabbitmq-server memcache 1.w ...

  8. 理解 OpenStack 高可用(HA)(1):OpenStack 高可用和灾备方案 [OpenStack HA and DR]

    本系列会分析OpenStack 的高可用性(HA)概念和解决方案: (1)OpenStack 高可用方案概述 (2)Neutron L3 Agent HA - VRRP (虚拟路由冗余协议) (3)N ...

  9. 深入理解Openstack自动化部署

    前言 说实话,看到自己在博客园的排名感到惭愧,因为自己最近两年没有持续地在博客园上写技术博客了,有人私下问我是不是荒废了?翻翻15年和16年的博客,真的是少的可怜.一方面的确由于岗位的变化,导致了工作 ...

随机推荐

  1. wp8 longlistselector 动态加载datatemplate

    在做一个windows phone 8 即时通讯应用的时候,聊天界面的对话气泡. 需要根据不同的消息类型,加载对应的DataTemplate, 比如发送,接受,图片,语音,等气泡. 如下图所示 会话界 ...

  2. 2017ACM/ICPC广西邀请赛-重现赛(感谢广西大学)

    上一场CF打到心态爆炸,这几天也没啥想干的 A Math Problem Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 32768/3 ...

  3. 82. Spring Boot – 启动彩蛋【从零开始学Spring Boot】

    我们在[28. SpringBoot启动时的Banner设置 ] 这一小节介绍过设置Spring Boot的Banner,但是实际当中,我们希望做的更漂亮,所以也就有了这小节Spring Boot-启 ...

  4. 【bzoj4868】[Shoi2017]期末考试 前缀和+暴力

    题目描述 有n位同学,每位同学都参加了全部的m门课程的期末考试,都在焦急的等待成绩的公布.第i位同学希望在第ti天或之前得知所.有.课程的成绩.如果在第ti天,有至少一门课程的成绩没有公布,他就会等待 ...

  5. 【Luogu】P2059卡牌游戏(概率DP)

    题目链接 这绝壁是道紫难度的题 请移步xyz32678的题解. 设f[i][j]是有i个人参加了游戏,1是庄家,最后j胜出的概率. 我们可以发现,这个游戏影响胜出的概率的只有庄家的相对位置和人数,跟玩 ...

  6. 【线段树区间最值单点更新模板】BNUOJ 52965 E Excellent Engineers

    http://acm.bnu.edu.cn/v3/external/gym/101512.pdf #include<bits/stdc++.h> using namespace std; ...

  7. 转:WOM 编码与一次写入型存储器的重复使用

    转自:WOM 编码与一次写入型存储器的重复使用 (很有趣的算法设计)——来自 Matrix67: The Aha Moments 大神 计算机历史上,很多存储器的写入操作都是一次性的. Wikiped ...

  8. Spring的声明式事务管理<tx:advice/> 有关的设置

    <tx:advice/> 有关的设置 这一节里将描述通过 <tx:advice/> 标签来指定不同的事务性设置.默认的 <tx:advice/> 设置如下: 事务传 ...

  9. 【bzoj4004】【JLOI2015】装备购买 (线性基+高斯消元)

    Description 脸哥最近在玩一款神奇的游戏,这个游戏里有 n 件装备,每件装备有 m 个属性,用向量zi(aj ,.....,am) 表示 (1 <= i <= n; 1 < ...

  10. Contest Hunter #46 T1 磁力块 [分块]

    描述 在一片广袤无垠的原野上,散落着N块磁石.每个磁石的性质可以用一个五元组(x,y,m,p,r)描述,其中x,y表示其坐标,m是磁石的质量,p是磁力,r是吸引半径.若磁石A与磁石B的距离不大于磁石A ...