OpenStack Keystone Fernet tokens

Fernet is a secure messaging format explicitly designed for use in API tokens by Heroku. They address many of the same problems that OpenStack faces, and make some of the same design considerations that have already appeared in the OpenStack community. They're non-persistent, lightweight, and reduce the operational overhead required… »

The OpenStack Keystone service catalog

The OpenStack Keystone service catalog allows API clients to dynamically discover and navigate to cloud services. The service catalog may differ from deployment-to-deployment, user-to-user, and tenant-to-tenant. The service catalog is the first hurdle that API consumers will need to grok after successfully authenticating with Keystone, making it a critical focal… »

The anatomy of OpenStack Keystone token formats

.token { font-weight: bold; white-space: pre; } Tokens in Keystone are generally composed of a number of technologies layered together. All tokens can be deconstructed into at least two layers: a payload which is wrapped in some transport format. The payload provides attributes such as uniqueness, identity, and authorization context. The transport… »

Benchmarking OpenStack Keystone token formats

tl;dr: PKI and PKIZ tokens are slower than UUID tokens, and based on the June 2015 update, Fernet tokens are faster to create than UUID tokens (but also way slower to validate). The simplest token format in Keystone today is that of UUID tokens: they're randomly generated 32 character… »

Bacon-wrapped jalapeƱo dove poppers

Yep, you read that right. I scoffed at the idea of these a bit at first, because I didn't think any of the dove's flavor would come through after wrapping them in bacon and slathering them in cream cheese, but, to my surprise, the whole thing works really well. I… »

Single- vs multi-tenant clouds

It's hard to standardize on the broader definition of single-tenant versus multi-tenant clouds because everyone seems to disagree on the definition "tenant" (naturally, I'll blame the marketing folks). Everyone can agree that "tenancy" refers to resource isolation. My application does not know that your application exists. My application cannot steal… »

OpenStack Kilo Design Summit outcomes

This is a summary of the discussions, design decisions, goals, and direction that came out of the OpenStack Juno Design Summit in Paris (fall 2014). Unlike my previous design summit adventures, which were primarily focused on Keystone (I'll leave that to Morgan Fainberg to cover), I'm making an attempt to… »

Hierarchical multitenancy

Welcome to the biggest, scariest word in OpenStack. Please don't run away (yet, anyway). Background Keystone's original model for multitenancy was entirely flat: tenants had no relation to one another whatsoever. In Grizzly, we renamed tenants in our API to projects and introduced the concept of domains to serve as… »

Responsibilities of an OpenStack program technical lead (PTL)

This is my perspective on the responsibilities of an OpenStack PTL. These responsibilities are in addition to those which may be delegated to project czars, but it's up to the PTL to ensure that they are all met. Serve as a point of contact to the community. You will receive… »

Responsibilities of OpenStack project czars

Note: This was a model under active discussion during the Juno development cycle (summer 2014), but did not come to fruition in the community. I'm leaving it here for historical reference. While OpenStack PTLs are ultimately accountable for the project as a whole (including the responsibilities outlined below), PTLs have… »

Reviewing code

As a Program Technical Lead for OpenStack, part of my duty involves identifying and supporting "core reviewers" from our open source community: developers believed to be capable of upholding high technical standards and thus empowered to drive the project's direction via gerrit. While each reviewer always brings a differing perspective… »

OpenStack Keystone hackathon outcomes for Juno

Keystone's OpenStack Juno Hackathon in San Antonio, TX (summer 2014) was certainly a productive one. In total, we had 20 Keystone community members in attendance, including 8 core reviewers. We collaboratively revised and merged 5 feature proposals to openstack/keystone-specs, along with 25 additional patches across the identity program's 5… »

LinkedIn: "We access your email account."

LinkedIn has been recently accussed of potentially illegal (and clearly immoral) marketing practices, and is now facing a class-action lawsuit. Specifically, the lawsuit accuses LinkedIn of: breaking into its users' third party email accounts, downloading email addresses that appear in the account, and then sending out multiple reminder emails ostensibly… »

Debug vs. Verbose

Debug mode is intended for developers, not operators. Developers need call stacks, line numbers, and raw data to perform stepwise problem isolation. They work on environments that are disposable and do not contain sensitive data. Everything must be precisely and easily repeatable. Operators need insight into the behavior of systems… »

Words of wisdom

Boring systems build badass businesses: Innovate on your core product, not on your plumbing. — Matt Jaynes Programming sucks: That's your job if you work with the internet: hoping the last thing you wrote is good enough to survive for a few hours so you can eat dinner and catch… »

OpenStack Keystone hackathon for Juno

This page will be continually updated with additional details as they become solidified, similar to the Icehouse meetup. RSVP Planning to attend? Complete an RSVP form, please! Dates & Times 9am-5pm July 9-11th, 2014 (Wednesday, Thursday, Friday) This falls two weeks before the end of Juno milestone-2 development and OSCON… »

OpenStack Juno Design Summit outcomes for Keystone

This is a summary of the discussions, design decisions, goals, and direction that came out of the OpenStack Juno Design Summit in Atlanta (spring 2014) with regard to Keystone. Consider this to be a sequel to my similar coverage of the Icehouse summit. (This is Juno, Georgia. There's not much… »

How to ask for help in IRC

tl;dr No one can answer your question if you never ask it. I regularly see frustrated people asking for help in IRC. Unfortunately, they don't receive the help they're looking for because they don't ask questions that others are going to bother answering with any form of intelligent response.… »

Copyrighting an API is like copyrighting a doorway

A doorway is a human interface between two spaces separated by a wall. The only meaningful design attributes of a doorway is the shape (circle, triangle, quadrilateral, pentagon, etc) and the dimensions of that shape. Let's say you're a doorway designer, and you're looking to design a general-purpose doorway that… »

OpenStack Icehouse Design Summit outcomes for Keystone

This is a summary of the discussions, design decisions, goals, and direction that came out of the OpenStack Icehouse Design Summit in Hong Kong (fall 2013) with regard to Keystone. The following design summit, Juno, is covered here. Identity Federation allow federating to an external identity provider without dependency on… »