A recent discussion on the Openstack mailing list brought to light the high load that the Keystone server has due to each server having to authenticate each and every request against Keystone.
PKI for Keystone
Reply
Category Archives: Software
Keystone should move to Apache HTTPD
Keystone and the other Openstack components run in an Eventlet based HTTP server. Eventlet and Greenlet (the project Eventlet is built on) are designed to be highly performant in networked environments due to their non-blocking nature. Everything is handled in a single thread, and scheduling is performed in user space. The one caveat is that not only must the code you write never block, the code you call must not block, either. If you are going to make a call into a third party library that performs I/O, you need to wrap that library in a thread pool.
For Keystone, every call is going to be going through to a Database layer, either SQL or LDAP. Which is in turn going to call into the native driver for that Database, or the LDAP libraries. Either way, it is a native call, and it has to be wrapped in a thread pool.
Keystone is an authentication hub. As such, it is literally the “Keystone” of the security architecture around Openstack. In order to do anything on any of the other services in Openstack, a use needs a token from Keystone. But in order to authenticate against Keystone, the user needs to provide a clear-text password. This approach may be sufficient to start development, but it is not going to be acceptable when a company needs to prove compliance with Sarbanes-Oxley. Or HIPPAA. For these cases, we want stronger encryption and better authentication management. The Eventlet based web server does not currently support forms of authentication other than Basic-Auth. Ideally, organizations would be able to employ their Kerberos or Public Key Infrastructure (PKI) assets to support their Openstack based authentication.
IPv6 is coming. The last block of IPv4 addresses has been allocated. For Cloud based deployments, people are going to need large numbers of routable IP Addresses. However, Eventlet does not currently support IPv6. Work is happening upstream, but it has not yet been commited, and will not be available for the Essex release of Openstack.
There is a simple solution. Keystone is a WSGI application, and has minimal dependencies on Eventlet. Deploying Keystone in an Apache HTTPD server with mod_wsgi running in prefork mode provides the same operating environment as Eventlet does. As the de facto standard open source web server, it has received a higher degree of scrutiny than most other software products. HTTPD support for GSSAPI/Kerberos authentication, Client and Server based certificates, and IPv6. It is well supported in all the major Linux distributions.
What would the drawbacks be? Probably the first thing people would look to from Eventlet is performance. I don’t have the hard numbers to compare Eventlet to Apache HTTPD, but I do know that Apache is used in enough high volume sites that I would not be overly concerned. The traffic in an Openstack deployment to a Keystone server is going to be about two orders of magnitude less than any other traffic, and is highly unlikely to be the bottleneck. Second is the fact that we would be pulling in dependencies to Apache HTTPD, and that configuring it would be different and more difficult than Eventlet. However, this is a fairly well trodden path. The benefits of putting all HTTP traffic behind ports 80 and 443 overwhelm the drawbacks of configuration.
Since Keystone has just gone through a major reworking, I realize that people might be reluctant to support a move like this. However, the effect on other components should be minimal or none. Apache HTTPD can be set up using the same ports that Keystone already uses, and thus replace an existing Keystone install with no changes to the configuration or code to the other services. The changes should be limited to Keystone alone.
The problem that Eventlet solves does not map to Keystone. The amount of work it would take to add the features Keystone really requires to Eventlet is significant, is difficult, and is likely to be far buggier than using well established and audited libraries. The simpler path forward is for Keystone to move over to Apache HTTPD. It is also the path for greater stability, security, and growth.
FreeIPA Keystone LDAP Store
The next interim release of Openstack Keystone will once again have LDAP support. I am developing against OpenLDAP to start, as that is what the LDAP support has been based on in the past. However, the directory server that backs FreeIPA works perfectly well, and provides a backend that allows for Keystone support.
Working with Keystone Authenticate
Here is a little utility I’ve worked up while working with the Openstack Keystone code.
Openstack Keystone LDAP Redux
A recent change in the structure of the Openstack Keystone architecture resulted in the loss of support for an LDAP Backend. I’ve been working to rectify that. Here’s my set up and the design decisions I’ve made so far. Since this code is not yet submitted for code review, there is a good chance that it will change prior to deployment.
Programmatic EXTERNAL SASL connection to OpenLDAP
The documentation on the OpenLDAP site discusses modifying the ldif files used to start up the server. If you try to do this on a Fedora or Debian based install, you will find that the server does not start up. The HASH of the files is stored and compared with the contents at start up time. There is a better way.
DNS Managers in FreeIPA
The Domain Name System (DNS) is an essential part of systems management. If you need to manage multiple physical hosts you’d really benefit by a degree of control of some subset of DNS. With Virtual machines, the sheer number of hosts created demand a responsive DNS. Kerberos, X509 and other security mechanisms require a proper DNS configuration. Yet, for many organizations, DNS is locked down by IT to a very static set of records. Earlier articles discussed User Groups, Host Groups, and Netgroups. The final installment in this series discsusses how to delegate DNS Zone management in FreeIPA.
Netgroup Managers in FreeIPA
The last two articles described how to delegate management of user groups and host groups. The other way to manage both hosts and users in FreeIPA is with Netgroups. Although Netgroups are a concept from NIS, FreeIPA takes them to the next level, and makes them into containers capable of managing both users and groups. This article shows how to delegate the control of a netgroup to a specified user.
Hostgroup Managers in FreeIPA
Last article I discussed delegating the authority to manage group membership using FreeIPA. A related topic delegating the ability to manage groups of hosts. There are two different collections for managing hosts: host groups, and netgroups. The approach to delegating authority for managing each of these is similar, but with important differences. First up: hostgroups.
To create a hostgroup for Beowulf hosts:
Group Managers in FreeIPA
The power of a hierarchical database lies in its access controls. FreeIPA gives you a set of tools that you can use in order to delegate authority using those access controls.
Continue reading