Deep Dive into Keystone Tokens and Lessons Learned

Deep Dive into Keystone
Tokens and Lessons Learned
Priti Desai & Brad Pokorny

Who are we?
Priti Desai
Advisory Software Engineer, IBM
Brad Pokorny
Principal Software Engineer, Symantec
Deep Dive into Keystone Tokens and Lessons Learned

What token format should we configure in
our OpenStack Deployment?

Token Formats
UUID
PKI
PKIZ
Fernet

UUID

UUID
• Simplest and Most Light Weight
• Version 4 UUID
• Configuration in keystone.conf :
[token]
provider = keystone.token.providers.uuid.Provider

UUID – Token Generation Workflow
Keystone
KVS
Request Token with:
• User Name
• Password
• Project Name
Identity Resources Assignment Catalog
User Validation
Retrieves User ID
Token
Project Validation
Retrieves Project ID and
Domain ID
Retrieves Roles for this
User on the Project or
Domain
Returns Failure if the
User does not have
any Role
Retrieves Services and
Endpoints for all the
services
Bundles Identity, Resource,
Assignment, and Catalog
information into Token Payload
Creates Token ID :
uuid.uuid4().hex
Store them in SQL/KVS:
• Token ID
• Expiration
• Valid
• User ID
• Extra
Token Generation Workflow

Sample UUID Token in SQL Backend
id: f10700e71ff045cbb850072a0bd6a4e6
expires: 2015-10-08 21:18:43
extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id":
"1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-
08T21:18:43.995255Z", "project": {"domain": {"id": "default", "name": "Default"}, "id":
"423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id":
"default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"},
"audit_ids": ["bI1EMzqUQM2sqFimOtIPpQ"], "issued_at": "2015-10-08T20:18:43.995284Z"}}, "user":
{"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580",
"name": "admin"}, "key": "f10700e71ff045cbb850072a0bd6a4e6", "token_version": "v3.0", "tenant":
{"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f",
"name": "admin"}, "metadata": {"roles": ["1688449cf1df44839b10a41e3d9b09dd"]}}
valid: 1
trust_id: NULL
user_id: 1334f3ed7eb2483b91b8192ba043b580

UUID – Keystone Token Validation Workflow
Parse Token and Retrieve
Metadata
Validate Token with:
GET v3/auth/tokens
• X-Subject-Token
• X-Auth-Token
Retrieves Token
payload from
token backend
KVS/SQL
Read cached token reference and parse:
• User ID
• Project ID
• Audit ID
• Token Expiry
Token
KVS
Valid?
Current Time <
Expiry Time
Token Not Found
Token Not Found
Is
Revoked?
Token Not Found
HTTP/1.1 200 OK
Yes
No
No
No
Yes
Yes
Check if a token matches
any revocation events
Check if a token is
expired, current time is
calculated in UTC
Token Validation Workflow

UUID – Keystone Token Revocation Workflow
Revoke by Audit ID
Revoke Token with:
DELETE v3/auth/tokens
• X-Subject-Token
• X-Auth-Token
Before revoking
a token, validate
it based on
Token Validation
Workflow
Validate
X-Subject-Token
Audit
ID?
Revoke by Token Expiry
Create Revoke Event with:
Audit ID
Revoke At
Issued Before
Prune Expired Events
Set valid to
False
Yes
No
Filter existing revocation
events based on Revoke At
Sample Revocation Event:
{
"audit_id": "HVvI0d-cTD21yatAfQc4IQ",
"issued_before”: "2015-10-24T21:20:45.000000Z"
},
Token Revocation Workflow
User ID
Project ID
Revoke At
Issued Before
Token Expiry
Token
KVS

UUID Across Multiple Data Centers
Users
Groups
Domains
Projects
Roles
Catalog
Assignments
Users
Groups
Domains
Projects
Roles
Catalog
Assignments
MySQL Replication
(Database is always in sync)
LDAP Replication
(Directory Tree is always in sync)
Tokens
KVS
UUID Tokens
Tokens
KVS
UUID Tokens
Keystone
UUID - Multiple Data Centers
Nova
Keystone Middleware
Keystone
Nova
Keystone Middleware
US-EASTUS-WEST
Request
Token
UUID Token
Token Validation
VM Instance
Token Validation
Token Not Found
Token Found Token Not Found

Pros and cons
• Pros
– Simplest and Smallest Token Format
– Recommended for Simple OpenStack Deployment
• Cons
– Persistent Token Format
– Token validation can only be done by Identity service
– Not feasible for multiple OpenStack deployments

PKI/PKIZ

PKI
• Cryptographically Encrypted
Signed Document using
X509 Standards
• CMS
• Converted to custom URL-
Safe format
• Compressed PKI
• Prefixed with “PKIZ”
PKIZ

PKI/PKIZ Configuration - Certificates
• Signing Key (signing_key.pem) :
• Generate private key in PEM format
• Signing Certificate (signing_cert.pem) :
• Generate CSR using Signing Key
• Submit CSR to CA
• Receive Certificate from CA
• Certificate Authority Certificate (ca.pem)

PKI/PKIZ Configuration
[token]
provider = keystone.token.providers.[pki|pkiz].Provider
[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem

PKI/PKIZ – Token Generation Workflow
Validate Identity, Resource, and Assignment
Request Token with:
• User Name
• Password
• Project Name
Create JSON Token Payload
Sign JSON Payload with Signing Key and Signing Certificate
openssl cms –sign –outform PEM
Convert it to UTF-8
Convert CMS Signed Token in PEM
format to custom URL Safe format:
• “/” replaced with “-”
• Deleted: “n”, “----BEGIN
CMS----”,“----END CMS----
”
Compress using zlib
Convert it to UTF-8
Base64 URL Safe
Append Prefix PKIZ
PKI PKIZ
Store Token into SQL/KVS

Sample PKI Token in SQL Backend
id: b460fec2efcd0d803e2baf48d3bcd72b
expires: 2015-10-09 20:07:36
extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name":
"admin"}], "expires_at": "2015-10-09T20:07:36.656431Z", "project": {"domain": {"id": "default", "name": "Default"}, "id":
"423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id": "default", "name":
"Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["8dh07HudSh6rHoU1G9bs-Q"],
"issued_at": "2015-10-09T19:07:36.656460Z"}}, "user": {"domain": {"id": "default", "name": "Default"}, "id":
"1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "key":
"MIIDiwYJKoZIhvcNAQcCoIIDfDCCA3gCAQExDTALBglghkgBZQMEAgEwggHZBgkqhkiG9w0BBwGgggHKBIIBxnsidG9rZW4iOnsib
WV0aG9kcyI6WyJwYXNzd29yZCJdLCJyb2xlcyI6W3siaWQiOiIxNjg4NDQ5Y2YxZGY0NDgzOWIxMGE0MWUzZDliMDlkZCIsIm5hb
WUiOiJhZG1pbiJ9XSwiZXhwaXJlc19hdCI6IjIwMTUtMTAtMDlUMjA6MDc6MzYuNjU2NDMxWiIsInByb2plY3QiOnsiZG9tYWluIjp7I
mlkIjoiZGVmYXVsdCIsIm5hbWUiOiJEZWZhdWx0In0sImlkIjoiNDIzZDQ1Y2RkZWM4NDE3MGJlMzY1ZTBiMzFhMWIxNWYiLCJuY
W1lIjo…", "token_version": "v3.0", "tenant": {"domain": {"id": "default", "name": "Default"}, "id":
"423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "metadata": {"roles":
["1688449cf1df44839b10a41e3d9b09dd"]}}
valid: 1
trust_id: NULL

Sample PKIZ Token in SQL Backend
id: c48321ac51a903b07c264ac3e80809c6
expires: 2015-10-12 18:45:23
extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd",
"name": "admin"}], "expires_at": "2015-10-12T18:45:23.806229Z", "project": {"domain": {"id": "default", "name":
"Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id":
"default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids":
["kKmQzTuxSnCN9vo3bzxErw"], "issued_at": "2015-10-12T17:45:23.806257Z"}}, "user": {"domain": {"id": "default",
"name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "key":
"PKIZ_eJxtlMtyqzgQhvc8xexTqcPFdsLiLCQEWCSCgAGBdgZscbVxDOHy9CMnc6mpGlWpSmqpW39_Uuv5WTRo2tj9wy
CHxiN35dqjqybi9eb6DuE7ZLd7_WxtAd6MtR1wP7PT5PxJE2F7U53WYH5D5qZbc53OSkeWPoo3hdrU7VQwhe5JBReo
71GWv72WT2vLPRk62_XuDmt_T9sZku-veT-xPfUaEk…", "token_version": "v3.0", "tenant": {"domain": {"id":
"default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "metadata":
{"roles": ["1688449cf1df44839b10a41e3d9b09dd"]}}
valid: 1
trust_id: NULL

PKI/PKIZ – Token Validation Workflow
Parse Token and Retrieve
Metadata
GET v3/auth/tokens
• X-Subject-Token
• X-Auth-Token
Retrieves Token
reference from
token backend
KVS/SQL
Read cached token reference and parse:
• User ID
• Project ID
• Audit ID
• Token Expiry
Token
KVS
Valid?
Current Time
< Expiry Time
Token Not Found
Token Not Found
Is
Revoked?
Token Not Found
HTTP/1.1 200 OK
Yes
No
No
No
Yes
Yes
Check if a token matches any
revocation events
Check if a token is expired,
current time is calculated in
UTC
Unique ID of
X-Subject-Token
Hash PKI Token
with the pre-
configured hashing
algorithm

PKI/PKIZ – Keystone Token Revocation Workflow
Revoke by Audit ID
Revoke Token with:
• X-Subject-Token
• X-Auth-Token
Before revoking
a token, validate
it based on
Token Validation
Workflow
Validate
X-Subject-Token
Audit
ID?
Audit ID
Revoke At
Issued Before
Set valid to
False
Yes
No
{
"issued_before”: "2015-10-24T21:20:45.000000Z"
},
User ID
Project ID
Revoke At
Issued Before
Token Expiry
Token
KVS

PKI/PKIZ - Across Multiple Data Centers
Users
Groups
Domains
Projects
Roles
Catalog
Assignments
Users
Groups
Domains
Projects
Roles
Catalog
Assignments
MySQL Replication
LDAP Replication
Tokens
KVS
PKI/PKIZ
Tokens
Tokens
KVS
PKI/PKIZ
Tokens
Keystone
PKI/PKIZ - Multiple Data Centers
Nova
Keystone Middleware
Keystone
Nova
Keystone Middleware
US-EASTUS-WEST
Request Token
PKI/PKIZ Token
Token Validation
VM Instance
Token Validation
VM Instance

Pros and Cons
PKI
• Pros
– Token validation without a request to
Keystone
• Cons
– Larger than standard HTTP Header Size
– Complex configuration
– base64 –d <pki_token
– Not truly feasible for multiple OpenStack
Deployments
PKIZ
• Pros
– Token validation without a request
to Keystone
• Cons
– Still Larger than standard HTTP
Header Size
– Similar to PKI

FERNET

Fernet
• Cryptographic Authentication Method – Fernet
• Symmetric Key Encryption
• Fernet Keys stored in /etc/keystone/fernet-keys/
– Encrypted with Primary Fernet Key
– Decrypted with a list of Fernet Keys

[token]
provider = keystone.token.providers.fernet.Provider
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
max_active_keys = <number of keys> # default is 3
Fernet Configuration

Fernet Keys
• Fernet Key File - 256 bits
83b4sCF0Q4pb3aNWJYtSdtdaH8PMA_5dlN7OswXKbvE=
xf3vxf8xb0!tCx8a[xddxa3V%x8bRvxd7Zx1fxc3xccx03xfe]x94xdexcexb3x05xcanxf1
SHA256 HMAC Signing Key
(128 bits)
AES Encrypting Key
(128 bits)

Fernet Keys
• Fernet Key File Name - Integers starting from 0
• ls /etc/keystone/fernet-keys => 0 1 2 3 4
• Type 1: Primary Key
– Encrypt and Decrypt
– Key file named with the highest index
• Type 2: Secondary Key
– Only Decrypt
– Lowest Index < Secondary Key File Name < Highest Index
• Type 3: Staged Key
– Decrypt and Next In Line to become Primary Key
– Key file named with lowest index (of 0)

Fernet Key Rotation
0 1 Primary KeyStaged Key No Secondary Key
2 Primary Key0Staged Key 1
Secondary Key
3 Primary Key21
Secondary Key
0Staged Key
Secondary Key
Rotate
Rotate

Fernet – Token Generation Workflow
HMACFernet Token Version Current Timestamp IV Cipher Text
Token Payload:
Version
User ID
Methods
Project ID
Expiry Time
Audit ID
Padding
Encrypted using Encrypting Key
Signed using Signing Key

Sample Fernet Token in SQL Backend
gAAAAABWLUzy0dxSNo2--K-
3trDutnX7LpUpv3us0crQIl8BDHLLd3lR3F243VwnYpNJHIaUiPEE2roYJJNA-
SwBe1swDcr6MYaFR1t9ZYcYF4GRqDm3N9_1EGgXgICbzE_GuUVidG4gky0Cv8
f1nwD7XM26NRh59VEnt2iVTAxlnvAICJDeK5k

Fernet – Keystone Token Validation Workflow
Determine the Version from the Token Payload
GET v3/auth/tokens
• X-Subject-Token
• X-Auth-Token
Re-inflate token
with “=” and return
token with correct
padding
Version: Fixed Versioning by Keystone:
• Unscoped Payload : 0
• Domain Scoped Payload : 1
• Project Scoped Payload : 2
Restore
Padding
Is
Revoked?
Token Not Found
HTTP/1.1 200 OK
No
No
Yes
Yes
Check if a token matches
any revocation events
Check if a token is
expired, current time is
calculated in UTC
Decrypt using Fernet Keys to retrieve Token Payload
Disassemble payload to
determine validation fields
For Project Scoped Token:
• User ID Project ID
• Methods Token
Expiry
• Audit ID
Current Time <
Expiry Time
Token Not Found
No

Fernet – Keystone Token Revocation Workflow
Revoke by Audit ID
Revoke Token with:
• X-Subject-Token
• X-Auth-Token
Before revoking
a token, validate
it based on
Token Validation
Workflow
Validate
X-Subject-Token
Audit
ID?
Audit ID
Revoke At
Issued Before
Set valid to
False
Yes
No
{
"issued_before”: "2015-10-24T21:20:45.000000Z"
},
User ID
Project ID
Revoke At
Issued Before
Token Expiry
Token
KVS

Fernet - Across Multiple Data Centers
Users
Groups
Domains
Projects
Roles
Catalog
Assignments
Users
Groups
Domains
Projects
Roles
Catalog
Assignments
MySQL Replication
LDAP Replication
Keystone
Fernet - Multiple Data Centers
Nova
Keystone Middleware
Keystone
Nova
Keystone Middleware
US-EASTUS-WEST
Request
Token
Fernet Token
Token Validation
VM Instance
Token Validation
VM Instance
Validate Fernet Token Validate Fernet Token

Pros and cons
• Pros
– No persistence
– Reasonable Token Size
– Multiple Data Center
• Cons
– Token validation impacted by the number of revocation events

Fernet Token Validation
11.17
46.406
83.654
124.974
163.529
234.398
376.604
510.058
0
100
200
300
400
500
600
0
100
200
300
400
500
600
700
800
900
1000
1100
1200
1300
1400
1500
2000
3000
4000
Time(ms)
Revocation Events
Revocation Events Impact on Validation Time
Response Time (ms)

Fernet Token Validation
89.46
21.55
11.95
8 5.77
1.96
0
10
20
30
40
50
60
70
80
90
100
0
100
200
300
400
500
600
700
800
900
1000
1100
1200
1300
1400
1500
2000
3000
4000
ValidationsPerSecond
Revocation Events
Revocation Events Impact on Validation Requests
Token Validation Requests

What token format should we configure in our
OpenStack Deployment?
Fernet for Multiple OpenStack Deployments
with minimal Revocation Events

HORIZON AND TOKENS

How horizon uses tokens
• Tokens for each logged in user
• Unscoped token and project scoped token
• Token reuse
• Reduced transaction load on Keystone
• Stored in the session
• Configurable token storage methods
• Local memory cache
• Cookie backend
• Memcache
• Database
• Cached Database

Cookie backend
• Currently the devstack default
• Token stored in browser cookie
• Secure cookies in production, use https
• CSRF_COOKIE_SECURE = True
• SESSION_COOKIE_SECURE = True
• http://docs.openstack.org/developer/horizon/topics/settings.html
• http://docs.openstack.org/security-guide/dashboard/cookies.html
• Highly scalable
• The dreaded boot back to login

Cookie backend
• The dreaded boot back to login
• Now sign in…

Cookie backend
• And you see…
• Cookie overflow!

memcache backend
• Allows storage of larger token sizes
• Tokens stored on server side
• Requires memcached
• Can be used with backing DB
• http://docs.openstack.org/developer/horizon/topics/deployment.html

Token hashing
• Hashed in Django OpenStack Auth (DOA)
• Keeps stored token data small
• Currently not working for PKI tokens
• New config in Liberty to disable
• OPENSTACK_TOKEN_HASH_ENABLED
• PKI - Will increase memcache storage requirement

Multiregion and tokens
• Service regions vs. Authentication regions
• Service regions in Keystone catalog
• Auth regions specified in AVAILABLE_REGIONS
• UUID, PKI, and PKIZ Tokens don’t work across auth regions
• Token replication is infeasible
• But Fernet tokens work between Authentication regions!
Service Region Authentication Region

Horizon and Fernet
• Yes, Fernet tokens work with Horizon
• Liberty and beyond – No patches necessary
• Kilo – Needs a patch for DOA
• https://review.openstack.org/#/c/169994/

V3 domains
Domain Scoped Token Project Scoped Token
"auth": {
"identity": {
},
“scope”: {
”domain": {
“name”: “Default”
}
}
}
"auth": {
"identity": {
},
“scope”: {
“project”: {
”domain": {
“name”: “Default”
},
“name”: “ProjectA”
}
}
}
• Extra token for Horizon

V3 domains
• Requires changes in Django OpenStack Auth and Horizon
• Planned for Mitaka
• Info on usage (a bit out of date):
• http://www.symantec.com/connect/blogs/how-use-horizon-keystone-v3
• Domains patches:

Will fernet tokens solve all our problems?
• Smaller token size
• No persistence for tokens
• Seamless authentication across regions
• Performance issues with token revocation

References
• Token: https://clubpenguincheatscitya4.files.wordpress.com/2011/08/1_token.jpg
• Key to Cloud: https://www.hc1.com/wp-
content/uploads/2013/10/14916002_cloud_computing_and_storage_security_concept_blue_glossy_cloud_icon_with_with_golden_key_in_keyhole
_.jpg
• User Icon: http://findicons.com/files/icons/1075/scrap/300/user_2.png
• Password: http://icons.iconarchive.com/icons/sbstnblnd/plateau/512/Apps-password-icon.png
• UUID: https://plugins.qgis.org/static/cache/21/c0/21c0d3fedb5bf42ff8a6a11712595124.png
• PKI: http://www.zaheerspeaks.com/wp-content/uploads/2009/10/PKI-Certificate.gif
• PKIZ: http://i571.photobucket.com/albums/ss153/rijal_abror/pun170-winzip-file-compress-icon59.gif
• Identity: https://www.innopay.com/assets/Uploads/icon-digitalidentity-232x232.png

EXTRA

What is an Openstack Token?
Key to OpenStack Cloud

How can I generate a token?
Keystone
curl -s POST https://keystone.com/v3/auth/tokens
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
”domain": {
”name": ”MyDomain.com”
},
”name": ”PritiDesai",
"password": "secretsecret”
}

How can I generate a token?
Keystone
curl -s POST https://keystone.com/v3/auth/tokens
"auth": {
"identity": {
"methods": [
”token"
],
”token": {
”id": ”e8079ab…”
}
}

Token generated using password
Header:
X-Subject-Token: a740dcd6f3fc404aaaf556b9cbd2f994
Body:
{
"token": {
"methods": [
"password"
],
"expires_at": "2015-10-05T20:25:03.180741Z",
"extras": {},
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "1334f3ed7eb2483b91b8192ba043b580",
"name": ”smith"
},
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
”domain": {
”name": ”Default”
},
”name": ”Smith",
"password": "secretsecret”
}

Token generated using token
Header:
X-Subject-Token: 3fb7b3b0a0a8489882f07fdb9cd2a990
Body:
{
"token": {
"issued_at": "2015-10-05T19:40:38.943250Z",
"audit_ids": [
"4vNgmP5cQk6sMpPiw7EnCg",
"HFwMKdDrSCOq-MAtkXKTlw"
],
"user": {
"name": ”smith",
"id": "1334f3ed7eb2483b91b8192ba043b580",
"domain": {
"name": "Default",
"id": "default"
}
},
"extras": {},
"auth": {
"identity": {
"methods": [
”token"
],
”token": {
“id”: “a7409b”
}
}
}

Identity Token Path
User OpenStack Service
Step 1: Obtain unscoped token with credentials
POST v3/auth/tokens
Keystone
Step 2: Discover projects you have access to
GET v3/users/<user_id>/projects
Step 3: Obtain project scoped token either with your
credentials or unscoped token from step 1.
Step 4: Invoke the target service by sending
requests to endpoints in token from step 3
Step 5: Validate roles and access metadata in token
with Keystone service or Keystone Middleware
Step 6: Serve API
request
Step 7: Return response

Token Creation
0
10
20
30
40
50
60
70
80
90
UUID PKI PKIZ Fernet
Time Per Request
Time Per
Request
0
5
10
15
20
Requests Per Sec
Requests Per
Sec

Token Validation
0
2
4
6
8
10
12
14
Time Per Request
Time Per
Request
0
20
40
60
80
100
Requests Per Sec
Requests Per
Sec

Configurable token hashing
https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/user.py

Deep Dive into Keystone Tokens and Lessons Learned

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Deep Dive into Keystone Tokens and Lessons Learned (6)

Recently uploaded (20)

Deep Dive into Keystone Tokens and Lessons Learned

Editor's Notes