Your SlideShare is downloading. ×
Quantum RBAC
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Quantum RBAC

728
views

Published on

D

D

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
728
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. RBAC for Quantumhttp://etherpad.openstack.org/QuantumRBAC
    Tuesday, October 4 12.00 PM
    Openstack “Essex” design summitBoston – October 3-5 2001
    Netstack track
  • 2. Agenda
    Current status
    RBAC use cases
    Outcome from Keystone RBAC session
    Open discussion
  • 3. Current status
    No Authentication/No Authorization
    Unofficially:
    Authentication provided by Keystone
    Simple Authorization performed with data returned by Keystone
    Issue: AuthZ requires expressing predicates on resources outside Quantum boundaries
    E.g.: the VIF, which is managed by Nova
  • 4. Relevant Use Cases for RBAC
    Public and ‘community’ networks
    Networks which are owned by a specific tenant, but are accessible to other tenants as well
    Distinct roles within tenants
    Standard user / network administrator
    ‘Service’ resources
    Some interfaces might belong to services which are inserted by the Cloud Service Provider
    Recalls yesterday’s discussion
    Something missing?
  • 5. Public/Community networks
    Definition: A network on which several tenants can plug their own interfaces, but is nevertheless always ‘owned’ by a single tenant
    Implementation:
    Simple way: the service provider acts as a tenant
    Single public network per deployment
    Bit more complex way: service provider defines and own several ‘public networks’
    E.g.: each network has different QoS/security attributes
    Even more complex way: tenants can delegate access to their network to other tenants
  • 6. Multiple roles within tenants
    A tenant can define several users
    Keystone already allows this
    Users are not all equals
    Keystone uses roles for handling this
    Introducing user roles in Quantum:
    Associating roles with base and extended operations
    ‘Fixed’ roles
    Fully customizable roles
  • 7. Authorizing ‘Service’ interfaces
    Use case highlighted in Edgar’s session on Monday
  • 8. Outcome of Keystone RBAC session
    ?
  • 9. Implementation
    Current proposal available here:
    http://wiki.openstack.org/QuantumAuthSpec 
  • 10. Follow-up actions
    Prioritize use cases
    Decide on an implementation strategy for each use case
    Associate tasks with names!

×