Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Multi tenancy for docker


Published on

Uploading the presentation given at the OpenStack Summit, Austin in April, 2016. The video link is here ,

Published in: Technology
  • Writing essays, letters and stories increases the learning abilities of students. That's why writing is much necessary in schools and colleges. Students should not feel burden writing work and must feel that it's not something which they can't do. It can be done with little pain. Try this
    Are you sure you want to  Yes  No
    Your message goes here

Multi tenancy for docker

  1. 1. Multi-tenancy for Docker Containers with Keystone Satya Routray, Rahul Upadhyay Anantha Padmanabhan CB, Meenakshi Lakshmanan 27, Apr 2016
  2. 2. Current authorization mechanism  Username / Password based authentication  Allows user to run any docker command  Or view all provisioned containers  No limit on number of containers / resources used
  3. 3. Why multitenancy?  We can use standalone Keystone to provide multitenancy to Docker.  Multitenancy allows users to view/manage only the containers they provisioned  Enables Role Based Access Control (RBAC)  Enables administrator to specify quota – pay as you go model  Can utilize Keystone’s ability to support multiple backend domains  Single sign-on and Hierarchical multitenancy  Not only users-to-container authorization, but also service-to-service authorization that are running across different containers
  4. 4. Keystone services • Identity – Credential validation • Resources – Data about Projects and Domains • Assignment - Roles and Roles-to-Resource assignments • Token – Manages tokens • Catalog – Registry of services and end points • Policy – Rule based authorization
  5. 5. Authentication mechanisms UUID Tokens • UUID • Persistent PKI & PKIZ Tokens (From Grizzly) • Public Key Infrastructure – Certificate based • More informative payload but size is huge • Persistent Fernet Tokens (From Juno) • Non-persistent & Symmetric key encryption • 85% faster than UUID and 89% faster than PKI
  6. 6. UUID tokens Client API Token Token Generation User/Pass Verify/Generate/Store UUID Send User/Pass Cache UUID locally UUID Cache UUID Keystone Backend API Call Validation Request Send API request+UUID Request UUID Extract UUID from Request UUID Check UUID and expiry date Valid? Process Request Reject Request 2xx HTTP 4xx HTTP Update Req. status Display Req. Error Yes No API Call Validation response
  7. 7. PKI Tokens
  8. 8. What is Docker • Enables you to package an application with all its dependencies into a standardized unit • Docker separates applications from infrastructure using container technology Similar to how VMs separate the operating system from bare metal • Runs the same regardless of the environment Build Ship Run
  9. 9. Docker – Key Components • Docker Demon • Docker API • Cli Used to interact with Daemon • Docker Engine, (Constitutes of all the above) • Docker Machine – bring up Docker Swarm • Docker Swarm – Native clustering for Docker
  10. 10. Multitenant Cluster Multi-Tenant Swarm C1 C2 C3 C4 Tenant1 Tenant4Tenant3Tenant2 Keystone C1 C2 C3 C4 H1 H2 User Policy Resource Identity Catalog
  11. 11. Multi-tenancy with keystone User keystoneDocker HostSwarm keystoneDocker HostSwarmUser Authenticate (User, Tenant, Password) Validate and generate token Token Update config.json with token and tenant ID Docker –H swarm url <docker CMD> List tenants List tenant to which token has access Check keystone’s tenant list for user’s tenant Ensure that Tenants are isolated from each other, Each tenant can only manage and link to their own container Docker <Docker cmd>
  12. 12. Timelines and future work • Implementation of keystone support – In progress • Explore fernet tokens and include support for the same • Provide isolated tenant networking capabilities • Provide a framework for dockerized applications to use the multitenancy seamlessly
  13. 13. Connect with us… • Satya Routray ( • Rahul Upadhyay ( • Anantha Padmanabhan CB ( • Meenakshi Lakshmanan (
  14. 14. References • Identity, Authentication & Access Management in OpenStack – Implementing and Deploying Keystone - Steve Martinelli, Henry Nash & Brad Topol • • • • • • •
  15. 15. Q&A
  16. 16. OpenStack Summit Austin, Texas 2016