Purple pattern background

Deep Dive into OpenStack's Heat, Horizon & Keystone

Mohammed NaserMohammed Naser

The OpenStack Foundation and its community of contributors have a wealth of projects under their belt, some in their early stages of development while others have been through a few releases. In today's blog, we'll be focusing on OpenStack's orchestration, dashboard and identity services - taking a deep dive into all they have to offer!

Heat for Orchestration

OpenStack developed Heat to tackle the need for orchestration and as a way to automate cloud components such as instances, devices and storage. Heat's orchestration engine enables users to launch multiple composite cloud applications using text file templates that can be treated as code as well as checked into version control. The template itself is able to describe certain pieces of infrastructure, such as servers, users, volumes, and floating ips while also specifying the relationship between various resources. This relationship identification then enables Heat to employ APIs to create infrastructure in the proper order.

Heat also manages the whole lifecycle of the application, meaning that when there is a change in infrastructure all the user has to do is modify the template accordingly and use it to update the existing stack. These Heat templates can also be easily integrated with software configuration management tools, like Puppet. Another key offering of Heat is that it not only works with OpenStack-native ReST API but also with CloudFormation-compatible Query API. VEXXHOST recognizes the role that orchestration plays in cloud infrastructure and opted to use Heat as our orchestration solution of choice.


Horizon for Dashboard

VEXXHOST also uses Horizon, which was created by OpenStack to deliver a web-based graphical user interface to OpenStack services that is accessible and manageable by both administrators and users. Within Horizon there are three main dashboards, one for users, one for systems and another for settings. Horizon also provides a stable and consistent set of reusable practices for developers through its API abstractions for core OpenStack projects. Thanks to these abstractions, it's not necessary for developers to be overly familiar with the APIs of OpenStack projects.

Horizon is also compatible with third-party apps and offers simple registration methods for panels, while each panel holds the fundamental logic for the interface. This breakdown inhibits files from becoming laden with thousands of lines of code and associates the code directly to the navigation, making it easy to find. Additionally, consistency is maintained throughout the applications by supplying necessary core classes that enable users to build from a solid set of reusable templates and supplementary tools, such as views and forms. Horizon can also be used to establish user limitations for cloud resources, launch VM instances, manage networks and even include additional functionalities within an existing dashboard by building an application that integrates with it. rds

Keystone for Identity

Keystone was developed by OpenStack as a way of offering all other OpenStack projects a common means of authentication, providing policy, token and catalogue functions using OpenStack APIs. This is achieved through the registration of each tenant and user, the authentication of users, the granting of tokens as a means of authorization, the creation of policies that extend to all users and services and the management of a digital catalogue of service endpoints. This catalogue supplies a listing of available services in addition to API endpoints, from which users can deploy a service, such as requesting resources or performing an operation, through network accessible addresses like URLs.

Keystone also confirms that incoming functional calls actually originate from the user who claims to be submitting the request. This validation is performed by testing a set of claims in the form of credentials. This credential data should only be accessible to the user who owns the data and can consist of data that only the user knows, such as a username and password combination, something that only the user possesses, like a hardware token and something that the user 'is', such as a fingerprint. The validation then provides users with a token that corroborates their identity and establishes the scope of resources to which it applies. This token defines a set of rights and priveledges using a role and is only valid for a certain period of time but can also be revoked at any point if needed. Keystone also serves as an abstraction layer and supplies plug-in interfaces so that organizations can leverage their current authentication services or have the option to choose from the variety of identity management systems on the market. As a cloud provider, VEXXHOST knows the importance of a solid identity authentication solution, which is why we selected Keystone for our own systems.

As these projects have been contributed to, their capabilities, features and compatibilities have developed and expanded in an incredible way, making them hugely beneficial to users. As Heat, Horizon and Keystone are all open source projects under the OpenStack foundation, they aren't limited by a lack of contributors or a particular infrastructure, ensuring that their services can be applied and appreciated in a near-universal fashion.

Share on social media