In VMworld 2014, VMware announced a new product VMware Integrated OpenStack. Currently this product is still in beta and will be available in the first quarter of 2015.
OpenStack has been a popular technology for private cloud orchestration. In this article OpenStack is described as a modular architecture that currently has eleven components:
- Nova - provides virtual machines (VMs) upon demand.
- Swift - provides a scalable storage system that supports object storage.
- Cinder - provides persistent block storage to guest VMs.
- Glance - provides a catalog and repository for virtual disk images.
- Keystone - provides authentication and authorization for all the OpenStack services.
- Horizon - provides a modular web-based user interface (UI) for OpenStack services.
- Neutron - provides network connectivity-as-a-service between interface devices managed by OpenStack services.
- Ceilometer - provides a single point of contact for billing systems.
- Heat - provides orchestration services for multiple composite cloud applications.
- Trove - provides database-as-a-service provisioning for relational and non-relational database engines.
Image Source: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/3/html/Installation_and_Configuration_Guide/images/2440.png
Each component needs to obtain an authentication token from the Keystone module and this is accomplished by API. OpenStack APIs are used to create and manage resource of each of these modules. If we want to dig deeper into OpenStack, it is essential that we know more about OpenStack APIs.
This OpenStack Wiki page has a good description on OpenStack API. It stated that OpenStack API is the Management and Control plane for a Cloud Infrastructure built using the various components (see above). A few things were mentioned about OpenStack API:
- it is REST-ful
- JSON based
- Each core project will expose one or more RESTful interface for the purpose of interacting with the outside world.
Let’s look at some of the ingredients that make up of OpenStack API.
RESTful HTTP API
REST stands for Representational State Transfer and it is an architecture that generally runs over HTTP. REST can be looked at as a light weighted web services
REST APIs are used by many “well known” applications such as PayPal, Twitter and Facebook, Google and mobile devices. The list can go on and on.
In the context of OpenStack we can see that RESTful APIs has the following characteristics:
- Use of URI to expose resources
- Noun based protocol e.g. GET, POST, DELETE etc
Besides being used by the various OpenStack components for management and control, REST API is heavily used by the Swift component for operations such as creation, deletion and/or retrieval of the object storage elements.
- A collection of name/value pairs
- An ordered list of values
Scott Lowe has a nice article on JSON as well as links to other useful page for getting to know JSON.
This picture shows how JSON is used in RESTful API
image source: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR9fOeuiLfeDczMm29hWeHOcSjeFDsY8qvD_PjCWH64ATDOSsB_ZM6SvyH-PYtLhxqTW8spTC9PWX_pk1ThvCm_0rnGpwtSZ8aZ_9COVT0pVHXQ6QBQZ_7m5NCYWHZXZBcn95Yoo3wcf8/s1600/json-rest3.png
WSGI stands for Web Server Gateway Interface is a specification for simple and universal interface between web servers and web applications or frameworks for Pythons according to Wikipedia.
OpenStack is written in Python and WSGI is a natural fit if an OpenStack component needs to implement a web based framework to handle the RESTful HTTP request and to provide the response. It can be looked as a “Middle-ware” for the module.
This may not be directly related to OpenStack API, we can find WSGI modules in the Nova and Neutron component as well as the Swift component.
The Ceilometer components, however, used Flask instead of the WSGI framework.
OpenStack API is a very powerful tool. One aspect that we cannot ignore is security.
At the very least for the RESTful HTTP based OpenStack API can be configured to use HTTPS instead of HTTP.
RESTful HTTP API has 3 kinds of message authentication method:
- Basic HTTP
I have not looked at OAuth but this is used extensively in OpenStack.
In Keystone (OpenStack Identity Service), the identity-api is in fact the entry point for all service API in which Keystone issue a token to client and this token is used for any API calls to the OpenStack API end points such as nova-api, glance-api , neutron-api … etc.