Once again it is time to brain dump the things I want to make happen in the next release of Open Stack.
My Keystone To do list Fall 2012
Reply
Category Archives: Openstack
Testing out PKI Signed tokens in Openstack Keystone
I’ve put a fair amount of time into the Signed Tokens implementation. Now that they have been merged into the master branch of Keystone, I’d like to get some more people playing around with the feature, and see how it impacts things. Continue reading
Speeding up SQLite based unit tests
If you write database driven applications, you probably have used SQLite at some point. Since it is a simple embedded database, it is a logical choice to use for unit tests that go to the database. However, SQLite performance on Ext4 (default Fedora File system) is lack-luster.
A cheap way to speed things up is to use a ramdisk as the backing store for the database.
Continue reading
Why Keystone Tokens are not Certificates
A Certificate Authority signs other certificates. A signing certificate can sign documents. There is a big difference. With this week’s discussion of the Flame malware and the mechanism used to sign it, I think it is important to point out why we are not using an X509 as the signed token in Keystone.
Continue reading
Token Signing with OpenSSL
While Fedora has standardised on NSS for security services, a large swath of the world uses OpenSSL. Here are roughly comparable steps to sign a message with OpenSSL as I previously posted using NSS.
Continue reading
Signed Authentication and Authorization
Openstack Keystone currently operates on-line validation for Tokens. Once a token is issued out, each of the systems presented with the token has to check the validity of the token with the Keystone server. This makes Keystone the highest traffic service in an Openstack deployment. Using Cryptographic Message Syntax (CMS) we can generated a token that can be verified using public key cryptography instead of making a network call. Here’s a proof-of-concept example using the command line tools.
My Openstack Tasks
Now that Folsom development has started in earnest, I figured I’d follow Russell‘s example and write down a bit of my plan for work in the next couple of months.
Openstack Keystone in HTTPD
After calling for Keystone to migrate to HTTPD, several people asked me if I would show how this can be done. Here are the steps.
Client Certificates with mod_nss
Once server side certificates have been set up, setting up client side certificates requires some additional configuration, especially if you want to use them as the source of identity in your applications.
Fedora 16 Devstack
Devstack is a developer tool for dealing with the wide array of projects that make up openstack. The original devstack is Ubuntu specific. Russell B has been working on getting Fedora its own Devstack. Today, I’m a test subject.