OpenStack Keystone in Tokyo: deprecations, deprecations, deprecations!

Boris Bobrov - November 17, 2015 - , ,

PKI tokens, which were the first attempt to implement non-persistent tokens, are really close to be deprecated in favor of Fernet tokens. The LDAP assignment driver will be either removed or set to read-only mode after being deprecated for 2 cycles. The v2.0 API will be partially deprecated, leaving only authentication-related parts non-deprecated. Running keystone with eventlet will be removed in this cycle, which means that deployers will have to use WSGI servers, which are more secure and mature. This is a very good thing for keystone: a lot of old code is getting cleaned up and maintaining keystone becomes much easier for developers.

Fernet tokens are now the recommended type of tokens to use. They are small as UUID tokens and don’t require storage as PKI tokens. Their size does not depend on the size of Keystone catalog, however they store enough information to verify them. Before them it was challenging to achieve scalability and high availability of Keystone. Fernet tokens are designed with this issue in mind.

Although functional testing was discussed during last summit, it turned out that not everyone had the same vision of how it should be done: some saw it as “black-box” testing, when we test Keystone only as a REST service, some wanted the tests to check the state of underlying modules, such as database. This was re-evaluated and re-discussed and we decided to stick with the “black-box” approach.

Identity Federation is still a hot topic and is the future of keystone. We want to make Federation the first-class citizen of OpenStack. The default way for deploying Keystone should to be via Federation. A lot of work needs to be done and we have a lot of options what to do. We need to enhance our mapping engine, enhance ability to debug and troubleshoot issues with federation, get client-side support. That’s a lot of work, but it’s worth it — it will make Keystone more scalable and will let deployers do cross-DC deployments more easily.

Work on tokenless auth with x.509 certificates is in progress: we want to stop storing service users whose only responsibility is to validate a token. This will be perfect for clouds, where users are stored in LDAP, because now operators have to configure an additional SQL backend for service users only.

banner-img
From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule
LIVE WEBINAR
Getting started with Kubernetes part 2: Creating K8s objects with YAML

Thursday, December 30, 2021 at 10:00 AM PST
SAVE SEAT
LIVE WEBINAR
Manage your cloud-native container environment with Mirantis Container Cloud

Wednesday, January 5 at 10:00 am PST
SAVE SEAT