SF Bay OpenStack Meetup Advanced Topic: OpenStack Keystone

Cloud Native Silicon Valley

Apr 15, 2016, 2:00 – 5:00 AM

In-person event

About this event

Topic: OpenStack Keystone

This will be an advanced session, so brush up on your Keystone knowledge first. You can read up about OpenStack project Keystone here and on the links below.


This is an advanced session where you will learn the inner workings of certificate-based authentication and authorization via show & tell. We will go over the configuration and deployment options. We hope this will be an interactive session where audience participation is encouraged. Certificate-based authentication and authorization are in demand, (from what we have been hearing). Now let’s work together to make it happen.

Certificate-based authentication and authorization for (auth_token) middleware, CLI, and Horizon. In Liberty, Keystone landed a feature called tokenless authorization using X.509 SSL client certificate. It enables Keystone to authorize API access by using the information from the caller's certificate. There are situations where certificate-based authentication is more advantageous over password-based authentication. Plus, it is also automation-friendly. In this session, we will demonstrate our POCs thus far for making certificate-based authentication possible for auth_token middleware, OpenStack CLI, and Horizon. Yes, there are pros and cons. This is an interactive session where audience participation is encouraged and greatly appreciated. We hope the takeaway for this session will be to incorporate the feedbacks from the community and turn these POCs into features in which we can all benefit from.


1. Eliminating the need for service user password and token. See https://github.com/openstack/keystone-specs/blob/master/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.rst#problem-description

2. Support situations where certificate-based authentication is preferred over password-based authentication in order to satisfy organizational security policies or compliance.


<a href="https://www.openstack.org/community/speakers/profile/1733">Guang Yee is an OpenStack Developer & User

• Contributed to OpenStack Keystone since 2012

• OpenStack Keystone Core Contributor since 2013

• Worked on HP Public Cloud since 2011

• Tech Lead for HPE Helion OpenStack Keystone

Sam Leong is an OpenStack Developer & User

A sr. software engineer focused on Keystone development at Hewlett Parkard Enterprise for the last 2 years. Prior to that, 10+ years of experience working for various tech companies, like Oracle, Motorola and RSA Security; focued on server back-end design, implementation and security.

</a> <a href="https://www.openstack.org/community/speakers/profile/5044">Lin Hua Cheng 

is a Software Engineer at Yahoo!

Lin is a OpenStack Engineer at Yahoo, working on internal developments and contributing to OpenStack community making it better for operators and users. He has been involved in OpenStack since 2012. Lin is a core to Horizon, Keystone and OpenStackClient. Lin previously worked on HP Public Cloud where he architected and integrated Horizon as web administration tool for operators and user interface for end users in the public cloud.

When possible we will set up a Google Hangout for remote community members. The link will be posted here at the start of each meetup.

Updates will be published via the meetup email list, OpenStack community blog, and twitter via @SWDevAngel@sarob, or@REvansVMware.


<a href="http://www.twitter.com/sarob">



Friday, April 15, 2016
2:00 AM – 5:00 AM UTC


  • John Starmer

    Kumulus Technologies

    Lead Organizer

  • Lisa-Marie Namphy

    Lead Organizer