際際滷

際際滷Share a Scribd company logo

Multi tenancy for docker

Download as PPTX, PDF
Satya Sanjibani Routray
Satya Sanjibani Routray

This document discusses using Keystone to provide multi-tenancy for Docker containers. Keystone can provide role-based access control and quotas to limit container usage. It authenticates users and issues tokens that Docker uses to determine which containers a user can access. Implementing Keystone support is in progress and will provide isolated tenant networking and easier integration for dockerized apps. The authors provide contact details and references for further information on Keystone, Docker, and OpenStack authentication.

1 of 16
Download to read offline
Multi-tenancy for Docker Containers with Keystone Satya Routray, Rahul Upadhyay Anantha Padmanabhan CB, Meenakshi Lakshmanan 27, Apr 2016
Current authorization mechanism Username / Password based authentication Allows user to run any docker command Or view all provisioned containers No limit on number of containers / resources used
Why multitenancy? We can use standalone Keystone to provide multitenancy to Docker. Multitenancy allows users to view/manage only the containers they provisioned Enables Role Based Access Control (RBAC) Enables administrator to specify quota pay as you go model Can utilize Keystones ability to support multiple backend domains Single sign-on and Hierarchical multitenancy Not only users-to-container authorization, but also service-to-service authorization that are running across different containers
Keystone services Identity Credential validation Resources Data about Projects and Domains Assignment - Roles and Roles-to-Resource assignments Token Manages tokens Catalog Registry of services and end points Policy Rule based authorization
Authentication mechanisms UUID Tokens UUID Persistent PKI & PKIZ Tokens (From Grizzly) Public Key Infrastructure Certificate based More informative payload but size is huge Persistent Fernet Tokens (From Juno) Non-persistent & Symmetric key encryption 85% faster than UUID and 89% faster than PKI
UUID tokens Client API Token Token Generation User/Pass Verify/Generate/Store UUID Send User/Pass Cache UUID locally UUID Cache UUID Keystone Backend API Call Validation Request Send API request+UUID Request UUID Extract UUID from Request UUID Check UUID and expiry date Valid? Process Request Reject Request 2xx HTTP 4xx HTTP Update Req. status Display Req. Error Yes No API Call Validation response
PKI Tokens
What is Docker Enables you to package an application with all its dependencies into a standardized unit Docker separates applications from infrastructure using container technology Similar to how VMs separate the operating system from bare metal Runs the same regardless of the environment Build Ship Run
Docker Key Components Docker Demon Docker API Cli Used to interact with Daemon Docker Engine, (Constitutes of all the above) Docker Machine bring up Docker Swarm Docker Swarm Native clustering for Docker
Multitenant Cluster Multi-Tenant Swarm C1 C2 C3 C4 Tenant1 Tenant4Tenant3Tenant2 Keystone C1 C2 C3 C4 H1 H2 User Policy Resource Identity Catalog
Multi-tenancy with keystone User keystoneDocker HostSwarm keystoneDocker HostSwarmUser Authenticate (User, Tenant, Password) Validate and generate token Token Update config.json with token and tenant ID Docker H swarm url <docker CMD> List tenants List tenant to which token has access Check keystones tenant list for users tenant Ensure that Tenants are isolated from each other, Each tenant can only manage and link to their own container Docker <Docker cmd>
Timelines and future work Implementation of keystone support In progress Explore fernet tokens and include support for the same Provide isolated tenant networking capabilities Provide a framework for dockerized applications to use the multitenancy seamlessly
Connect with us Satya Routray (engg.sanj@gmail.com) Rahul Upadhyay (rahuupad@cisco.com) Anantha Padmanabhan CB (cbpadman@cisco.com) Meenakshi Lakshmanan (mlakshma@cisco.com)
References Identity, Authentication & Access Management in OpenStack Implementing and Deploying Keystone - Steve Martinelli, Henry Nash & Brad Topol https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/ http://dolphm.com/the-anatomy-of-openstack-keystone-token-formats/ https://docs.docker.com/swarm/ https://docs.docker.com/machine/drivers/openstack/ https://wiki.openstack.org/wiki/Keystone http://docs.openstack.org/developer/keystone/ https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/
Q&A
OpenStack Summit Austin, Texas 2016

More Related Content

Multi tenancy for docker

  • 1. Multi-tenancy for Docker Containers with Keystone Satya Routray, Rahul Upadhyay Anantha Padmanabhan CB, Meenakshi Lakshmanan 27, Apr 2016
  • 2. Current authorization mechanism Username / Password based authentication Allows user to run any docker command Or view all provisioned containers No limit on number of containers / resources used
  • 3. Why multitenancy? We can use standalone Keystone to provide multitenancy to Docker. Multitenancy allows users to view/manage only the containers they provisioned Enables Role Based Access Control (RBAC) Enables administrator to specify quota pay as you go model Can utilize Keystones ability to support multiple backend domains Single sign-on and Hierarchical multitenancy Not only users-to-container authorization, but also service-to-service authorization that are running across different containers
  • 4. Keystone services Identity Credential validation Resources Data about Projects and Domains Assignment - Roles and Roles-to-Resource assignments Token Manages tokens Catalog Registry of services and end points Policy Rule based authorization
  • 5. Authentication mechanisms UUID Tokens UUID Persistent PKI & PKIZ Tokens (From Grizzly) Public Key Infrastructure Certificate based More informative payload but size is huge Persistent Fernet Tokens (From Juno) Non-persistent & Symmetric key encryption 85% faster than UUID and 89% faster than PKI
  • 6. UUID tokens Client API Token Token Generation User/Pass Verify/Generate/Store UUID Send User/Pass Cache UUID locally UUID Cache UUID Keystone Backend API Call Validation Request Send API request+UUID Request UUID Extract UUID from Request UUID Check UUID and expiry date Valid? Process Request Reject Request 2xx HTTP 4xx HTTP Update Req. status Display Req. Error Yes No API Call Validation response
  • 8. What is Docker Enables you to package an application with all its dependencies into a standardized unit Docker separates applications from infrastructure using container technology Similar to how VMs separate the operating system from bare metal Runs the same regardless of the environment Build Ship Run
  • 9. Docker Key Components Docker Demon Docker API Cli Used to interact with Daemon Docker Engine, (Constitutes of all the above) Docker Machine bring up Docker Swarm Docker Swarm Native clustering for Docker
  • 10. Multitenant Cluster Multi-Tenant Swarm C1 C2 C3 C4 Tenant1 Tenant4Tenant3Tenant2 Keystone C1 C2 C3 C4 H1 H2 User Policy Resource Identity Catalog
  • 11. Multi-tenancy with keystone User keystoneDocker HostSwarm keystoneDocker HostSwarmUser Authenticate (User, Tenant, Password) Validate and generate token Token Update config.json with token and tenant ID Docker H swarm url <docker CMD> List tenants List tenant to which token has access Check keystones tenant list for users tenant Ensure that Tenants are isolated from each other, Each tenant can only manage and link to their own container Docker <Docker cmd>
  • 12. Timelines and future work Implementation of keystone support In progress Explore fernet tokens and include support for the same Provide isolated tenant networking capabilities Provide a framework for dockerized applications to use the multitenancy seamlessly
  • 13. Connect with us Satya Routray (engg.sanj@gmail.com) Rahul Upadhyay (rahuupad@cisco.com) Anantha Padmanabhan CB (cbpadman@cisco.com) Meenakshi Lakshmanan (mlakshma@cisco.com)
  • 14. References Identity, Authentication & Access Management in OpenStack Implementing and Deploying Keystone - Steve Martinelli, Henry Nash & Brad Topol https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/ http://dolphm.com/the-anatomy-of-openstack-keystone-token-formats/ https://docs.docker.com/swarm/ https://docs.docker.com/machine/drivers/openstack/ https://wiki.openstack.org/wiki/Keystone http://docs.openstack.org/developer/keystone/ https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/
  • 15. Q&A