|
Openstack Keystone identification service drop-in replacement
E. L. Axenova, V. V. Shvetsova, O. D. Borisenko, I. V. Bogomolov Ivannikov Institute for System Programming of the Russian Academy of Sciences
Abstract:
The paper is dedicated to architecture and scalability principles for developed service intended to be a drop-in replace for Openstack Keystone. Openstack Keystone is the central identification and service catalogue service for clouds based on Openstack. Previous papers indicated problems of this service: it uses RDBMS (MariaDB/MySQL/PostgreSQL) as a data storage. Since each service and each user gets a token to have access to Openstack cloud and tokens are periodically revoked by the system, token generation is a critical function for the whole cloud. As soon as Keystone queries DBMS for getting user or service identification hashes and recomputes this hash upon the user-provided data, there is a bottleneck based on Keystone architecture. Each Keystone process has separate session with DBMS and since the recommended way is to use Galera cluster thus the DBMS part is limited to the slowest DBMS node since Galera provides High-Availability not the performance scale. Our approach is based on API Gateway Kong and its scalability through Apache Cassandra usage as a data store. Drop-in replacement is implemented as Lua plugin inside Kong API Gateway and implements Keystone V3 API.
Keywords:
Openstack Keystone, Apache Cassandra, Kong, API Gateway, Lua, cloud platform.
Citation:
E. L. Axenova, V. V. Shvetsova, O. D. Borisenko, I. V. Bogomolov, “Openstack Keystone identification service drop-in replacement”, Proceedings of ISP RAS, 29:6 (2017), 203–212
Linking options:
https://www.mathnet.ru/eng/tisp281 https://www.mathnet.ru/eng/tisp/v29/i6/p203
|
Statistics & downloads: |
Abstract page: | 175 | Full-text PDF : | 90 | References: | 25 |
|