Multi tenancy for docker
Download as PPTX, PDF0 likes808 views
The document discusses the implementation of multi-tenancy for Docker containers using Keystone, which allows users to manage only their provisioned containers and enables role-based access control. It outlines Keystone’s functionalities such as identity validation, resource management, and token management and highlights the benefits of utilizing it for Docker, including a pay-as-you-go model and enhanced security. Future work includes support for fernet tokens and isolated tenant networking capabilities.
Multi tenancy for docker
- 1. Multi-tenancy for Docker Containers with Keystone Satya Routray, Rahul Upadhyay Anantha Padmanabhan CB, Meenakshi Lakshmanan 27, Apr 2016
- 2. Current authorization mechanism Username / Password based authentication Allows user to run any docker command Or view all provisioned containers No limit on number of containers / resources used
- 3. Why multitenancy? We can use standalone Keystone to provide multitenancy to Docker. Multitenancy allows users to view/manage only the containers they provisioned Enables Role Based Access Control (RBAC) Enables administrator to specify quota – pay as you go model Can utilize Keystone’s ability to support multiple backend domains Single sign-on and Hierarchical multitenancy Not only users-to-container authorization, but also service-to-service authorization that are running across different containers
- 4. Keystone services • Identity – Credential validation • Resources – Data about Projects and Domains • Assignment - Roles and Roles-to-Resource assignments • Token – Manages tokens • Catalog – Registry of services and end points • Policy – Rule based authorization
- 5. Authentication mechanisms UUID Tokens • UUID • Persistent PKI & PKIZ Tokens (From Grizzly) • Public Key Infrastructure – Certificate based • More informative payload but size is huge • Persistent Fernet Tokens (From Juno) • Non-persistent & Symmetric key encryption • 85% faster than UUID and 89% faster than PKI
- 6. UUID tokens Client API Token Token Generation User/Pass Verify/Generate/Store UUID Send User/Pass Cache UUID locally UUID Cache UUID Keystone Backend API Call Validation Request Send API request+UUID Request UUID Extract UUID from Request UUID Check UUID and expiry date Valid? Process Request Reject Request 2xx HTTP 4xx HTTP Update Req. status Display Req. Error Yes No API Call Validation response
- 7. PKI Tokens
- 8. What is Docker • Enables you to package an application with all its dependencies into a standardized unit • Docker separates applications from infrastructure using container technology Similar to how VMs separate the operating system from bare metal • Runs the same regardless of the environment Build Ship Run
- 9. Docker – Key Components • Docker Demon • Docker API • Cli Used to interact with Daemon • Docker Engine, (Constitutes of all the above) • Docker Machine – bring up Docker Swarm • Docker Swarm – Native clustering for Docker
- 10. Multitenant Cluster Multi-Tenant Swarm C1 C2 C3 C4 Tenant1 Tenant4Tenant3Tenant2 Keystone C1 C2 C3 C4 H1 H2 User Policy Resource Identity Catalog
- 11. Multi-tenancy with keystone User keystoneDocker HostSwarm keystoneDocker HostSwarmUser Authenticate (User, Tenant, Password) Validate and generate token Token Update config.json with token and tenant ID Docker –H swarm url <docker CMD> List tenants List tenant to which token has access Check keystone’s tenant list for user’s tenant Ensure that Tenants are isolated from each other, Each tenant can only manage and link to their own container Docker <Docker cmd>
- 12. Timelines and future work • Implementation of keystone support – In progress • Explore fernet tokens and include support for the same • Provide isolated tenant networking capabilities • Provide a framework for dockerized applications to use the multitenancy seamlessly
- 13. Connect with us… • Satya Routray (engg.sanj@gmail.com) • Rahul Upadhyay (rahuupad@cisco.com) • Anantha Padmanabhan CB (cbpadman@cisco.com) • Meenakshi Lakshmanan (mlakshma@cisco.com)
- 14. References • Identity, Authentication & Access Management in OpenStack – Implementing and Deploying Keystone - Steve Martinelli, Henry Nash & Brad Topol • https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/ • http://dolphm.com/the-anatomy-of-openstack-keystone-token-formats/ • https://docs.docker.com/swarm/ • https://docs.docker.com/machine/drivers/openstack/ • https://wiki.openstack.org/wiki/Keystone • http://docs.openstack.org/developer/keystone/ • https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/
- 15. Q&A
- 16. OpenStack Summit Austin, Texas 2016