Home > Blog > OpenStack Keystone in Tokyo: deprecations, deprecations, deprecations!

OpenStack Keystone in Tokyo: deprecations, deprecations, deprecations!

Boris Bobrov - November 17, 2015 - | |

PKI tokens, which were the first attempt to implement non-persistent tokens, are really close to be deprecated in favor of Fernet tokens. The LDAP assignment driver will be either removed or set to read-only mode after being deprecated for 2 cycles. The v2.0 API will be partially deprecated, leaving only authentication-related parts non-deprecated. Running keystone with eventlet will be removed in this cycle, which means that deployers will have to use WSGI servers, which are more secure and mature. This is a very good thing for keystone: a lot of old code is getting cleaned up and maintaining keystone becomes much easier for developers.

Fernet tokens are now the recommended type of tokens to use. They are small as UUID tokens and don’t require storage as PKI tokens. Their size does not depend on the size of Keystone catalog, however they store enough information to verify them. Before them it was challenging to achieve scalability and high availability of Keystone. Fernet tokens are designed with this issue in mind.

Although functional testing was discussed during last summit, it turned out that not everyone had the same vision of how it should be done: some saw it as “black-box” testing, when we test Keystone only as a REST service, some wanted the tests to check the state of underlying modules, such as database. This was re-evaluated and re-discussed and we decided to stick with the “black-box” approach.

Identity Federation is still a hot topic and is the future of keystone. We want to make Federation the first-class citizen of OpenStack. The default way for deploying Keystone should to be via Federation. A lot of work needs to be done and we have a lot of options what to do. We need to enhance our mapping engine, enhance ability to debug and troubleshoot issues with federation, get client-side support. That’s a lot of work, but it’s worth it — it will make Keystone more scalable and will let deployers do cross-DC deployments more easily.

Work on tokenless auth with x.509 certificates is in progress: we want to stop storing service users whose only responsibility is to validate a token. This will be perfect for clouds, where users are stored in LDAP, because now operators have to configure an additional SQL backend for service users only.

Subscribe to Mirantis Newsletter

Get blogs and other content delivered straight to your inbox.

FREE EBOOK!
Service Mesh for Mere Mortals
by Bruce Basil Mathews
DOWNLOAD
LIVE WEBINAR
Docker Swarm is Dead! Long Live Docker Swarm

Thursday, October 28 at 10:00am PDT
SAVE SEAT
LIVE WEBINAR
You've Got Kubernetes. Now You Need App-Focused Security Using Istio

Presented with Aspen Mesh
SAVE SEAT
LIVE WEBINAR
Defining a Kubernetes that just works, anywhere

Thursday, November 11 at 8:00am PST
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW

Subscribe to Mirantis Newsletter

Get blogs and other content delivered straight to your inbox.

FREE EBOOK!
Service Mesh for Mere Mortals
by Bruce Basil Mathews
DOWNLOAD
LIVE WEBINAR
Docker Swarm is Dead! Long Live Docker Swarm

Thursday, October 28 at 10:00am PDT
SAVE SEAT
LIVE WEBINAR
You've Got Kubernetes. Now You Need App-Focused Security Using Istio

Presented with Aspen Mesh
SAVE SEAT
LIVE WEBINAR
Defining a Kubernetes that just works, anywhere

Thursday, November 11 at 8:00am PST
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW