We will share the experience how we use global keystone here at eBay, those are addressed by real questions:
The instances running in production environment have different security level than the ones running in development environment. Projects locates in high secured zones requires 2FA(Two Factor Authentication) to authenticate while others use password credential. We also introduced a more secured authentication method for service access - API Key, which restricts not only what project it would be grant access to but also where the key can be used. The dynamic project based policy makes that happen and easy to use/configure. We will take a deep look at it as well.
We also isolate the controlling services from the production services into the secured control plane. We enhanced the Keystone to a fully armed IAM(Identity & Access Management) and integrate all the control plane services with it.
We will also share the experience on how to reduce the PKIZ token size as for global keystone, the token size would increase per region basis.
- eBay multi-environment security model
- Fill the gap between keystone and a generic IAM
- The answer to more secured service access - API Key
- Dynamic Project Based Policy for API Key authentication & management
- eBay global keystone journey
- Make the token smaller!