OpenStack Keystone in Tokyo: deprecations, deprecations, deprecations!
- November 17, 2015
PKI tokens, which were the first attempt to implement non-persistent tokens, are really close to be deprecated in favor of Fernet tokens. The LDAP assignment driver will be either removed or set to read-only mode after being deprecated for 2 cycles. The v2.0 API will be partially deprecated, leaving only authentication-related parts non-deprecated. Running keystone with eventlet will be removed in this cycle, which means that deployers will have to use WSGI servers, which are more secure and mature. This is a very good thing for keystone: a lot of old code is getting cleaned up and maintaining keystone becomes much easier for developers.
Fernet tokens are now the recommended type of tokens to use. They are small as UUID tokens and don’t require storage as PKI tokens. Their size does not depend on the size of Keystone catalog, however they store enough information to verify them. Before them it was challenging to achieve scalability and high availability of Keystone. Fernet tokens are designed with this issue in mind.
Although functional testing was discussed during last summit, it turned out that not everyone had the same vision of how it should be done: some saw it as “black-box” testing, when we test Keystone only as a REST service, some wanted the tests to check the state of underlying modules, such as database. This was re-evaluated and re-discussed and we decided to stick with the “black-box” approach.
Identity Federation is still a hot topic and is the future of keystone. We want to make Federation the first-class citizen of OpenStack. The default way for deploying Keystone should to be via Federation. A lot of work needs to be done and we have a lot of options what to do. We need to enhance our mapping engine, enhance ability to debug and troubleshoot issues with federation, get client-side support. That’s a lot of work, but it’s worth it -- it will make Keystone more scalable and will let deployers do cross-DC deployments more easily.
Work on tokenless auth with x.509 certificates is in progress: we want to stop storing service users whose only responsibility is to validate a token. This will be perfect for clouds, where users are stored in LDAP, because now operators have to configure an additional SQL backend for service users only.
Fernet tokens are now the recommended type of tokens to use. They are small as UUID tokens and don’t require storage as PKI tokens. Their size does not depend on the size of Keystone catalog, however they store enough information to verify them. Before them it was challenging to achieve scalability and high availability of Keystone. Fernet tokens are designed with this issue in mind.
Although functional testing was discussed during last summit, it turned out that not everyone had the same vision of how it should be done: some saw it as “black-box” testing, when we test Keystone only as a REST service, some wanted the tests to check the state of underlying modules, such as database. This was re-evaluated and re-discussed and we decided to stick with the “black-box” approach.
Identity Federation is still a hot topic and is the future of keystone. We want to make Federation the first-class citizen of OpenStack. The default way for deploying Keystone should to be via Federation. A lot of work needs to be done and we have a lot of options what to do. We need to enhance our mapping engine, enhance ability to debug and troubleshoot issues with federation, get client-side support. That’s a lot of work, but it’s worth it -- it will make Keystone more scalable and will let deployers do cross-DC deployments more easily.
Work on tokenless auth with x.509 certificates is in progress: we want to stop storing service users whose only responsibility is to validate a token. This will be perfect for clouds, where users are stored in LDAP, because now operators have to configure an additional SQL backend for service users only.
