Date post: | 14-Apr-2017 |
Category: |
Technology |
Upload: | rahul-krishna-upadhyaya |
View: | 15 times |
Download: | 2 times |
Multi-tenancy for Docker Containers with KeystoneSatya Routray, Rahul Upadhyay
Anantha Padmanabhan CB, Meenakshi Lakshmanan
27, Apr 2016
2© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Current authorization mechanism Username / Password based authentication
Allows user to run any docker command
Or view all provisioned containers
No limit on number of containers / resources used
3© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why multitenancy?
We can use standalone Keystone to provide multitenancy to Docker.
Multitenancy allows users to view/manage only the containers they provisioned
Enables Role Based Access Control (RBAC)
Enables administrator to specify quota – pay as you go model
Can utilize Keystone’s ability to support multiple backend domains
Single sign-on and Hierarchical multitenancy
Not only users-to-container authorization, but also service-to-service authorization that are running across different containers
4© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Keystone services
• Identity – Credential validation• Resources – Data about Projects and Domains• Assignment - Roles and Roles-to-Resource assignments• Token – Manages tokens• Catalog – Registry of services and end points• Policy – Rule based authorization
5© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Authentication mechanismsUUID Tokens
• UUID
• Persistent
PKI & PKIZ Tokens (From Grizzly)• Public Key Infrastructure – Certificate based
• More informative payload but size is huge
• Persistent
Fernet Tokens (From Juno)• Non-persistent & Symmetric key encryption
• 85% faster than UUID and 89% faster than PKI
6© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
UUID tokensClient API Token
Token Generation
User/Pass Verify/Generate/Store UUID
Send User/Pass
Cache UUID locally
UUID
Cache UUIDKeystone Backend
API Call Validation Request
Send API request+UUID
Request UUID
Extract UUID from Request
UUID Check UUID and expiry date
Valid?Process Request
Reject Request
2xx HTTP4xx
HTTP
Update Req. status
Display Req. Error
Yes
No
API Call Validation response
7© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PKI Tokens
8© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is Docker• Enables you to package an application with all its dependencies into a standardized unit
• Docker separates applications from infrastructure using container technology Similar to how VMs separate the operating system from bare metal
• Runs the same regardless of the environment
Build Ship Run
9© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker – Key Components
• Docker Demon
• Docker API
• Cli Used to interact with Daemon
• Docker Engine, (Constitutes of all the above)
• Docker Machine – bring up Docker Swarm
• Docker Swarm – Native clustering for Docker
10© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multitenant Cluster
Multi-Tenant Swarm
C1 C2
C3 C4
Tenant1 Tenant4Tenant3Tenant2
KeystoneC1 C2
C3 C4
H1 H2
User
Policy Resource
Identity Catalog
11© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-tenancy with keystoneUser keystoneDocker
HostSwarm
keystoneDocker HostSwarmUser
Authenticate (User, Tenant, Password)Validate and generate token
TokenUpdate config.json with token and tenant ID Docker –H swarm url <docker CMD>
List tenants
List tenant to which token has accessCheck keystone’s tenant list for user’s tenant
Ensure that Tenants are isolated from each other, Each tenant can only manage and link to their own container Docker <Docker cmd>
12© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Timelines and future work• Implementation of keystone support – In progress
• Explore fernet tokens and include support for the same
• Provide isolated tenant networking capabilities
• Provide a framework for dockerized applications to use the multitenancy seamlessly
13© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Connect with us…
• Satya Routray ([email protected])
• Rahul Upadhyay ([email protected])
• Anantha Padmanabhan CB ([email protected])
• Meenakshi Lakshmanan ([email protected])
14© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
References• Identity, Authentication & Access Management in OpenStack – Implementing and
Deploying Keystone - Steve Martinelli, Henry Nash & Brad Topol
• https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/
• http://dolphm.com/the-anatomy-of-openstack-keystone-token-formats/
• https://docs.docker.com/swarm/
• https://docs.docker.com/machine/drivers/openstack/
• https://wiki.openstack.org/wiki/Keystone
• http://docs.openstack.org/developer/keystone/
• https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/
15© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Q&A
OpenStack SummitAustin, Texas 2016