vBACD July 2012 - Case Study: Extending CloudStack to Authenticate Third-Party Services

1,515 views

Published on

“Case Study: Extending CloudStack to Authenticate Third-Party Services”, Will Stevens, Lead Developer, CloudOps
CloudStack provides a stable compute stack that provides great features and performance for the virtual machine functionality (compute service). However, mature cloud solutions must offer more than just virtual machines to their customers, whether they are internal IT users of an enterprise cloud or customers of a cloud hosting service provider. This presentation will address how CloudOps, in partnership with cloud hosting provider cloud.ca, worked to extend Cloudstack to connect to other services such as an object store service, based on OpenStack Swift.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,515
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • - long history of expertise in load balancers and web applications (we were doing cloud before it was called cloud)- we believe in open-source and open-core solution (e.g. commercially supported open-source)- we are the second Citrix Cloud Advisor in North America (first and only in Canada but not sure we want to focus on the fact that we are Canadian). - 3 types of customers: SaaS, enterprises and services providers
  • vBACD July 2012 - Case Study: Extending CloudStack to Authenticate Third-Party Services

    1. 1. C A S E S T U DY:C L O U D S TA C K W I T H O P E N S TA C K S W I F T Authentication, usage and more…
    2. 2. WHO AM I? Will Stevens – Lead Developer at CloudOps WorkwithPython, Ruby, PHP, Java, j Query, JavaScript, JSON, HTML, CSS and MySQL Recent project:  Custom Python development building reports for a customer using data from the XenServer API.
    3. 3. W H O I S C LO U D O P S ? Founded in 2005. We build and manage private and hybrid clouds. Focus on managed cloud operations. Cloud infrastructure built on Citrix/CloudStack solutions, including CloudStack/CloudPlatform and XenServer.
    4. 4. W H AT I S T H E P ROJ EC T ?Customer background Customer Requirements Launching a Canadian-owned public  Looking for best open-source solutions cloud in Canada. for compute and object storage. Planning to launch an object storage  Decided on CloudStack for compute and service first, followed by a compute OpenStack Swift for object store. service.  Required custom integration between the platforms.
    5. 5. R EQ U I R E M E N T FO R C U STO M I N T EG R AT I O N Swift is an open source, Apache- licensed massively scalable redundant storage system. CloudStack already allows for VM snapshots and template images to be stored on Swift via Secondary Storage. CloudStackdoes not enable Swift to be used as an object store by its users.
    6. 6. W H AT I S N E E D E D TO I N T EG R AT E ? Swift needs to authenticate CloudStack users to enable them to use the service.  Implemented via ‘cs_auth’ or ‘mauth’. Swift usage data needs to be made available to the billing implementation.  Implemented via ‘swift_usage’. Swift needs to be integrated into the CloudStack UI to enable the functionality for the CS users.  Requires custom development.
    7. 7. W H AT I S ‘ C S _ AU T H ’ ? Swift authentication middleware which enables the authentication of CloudStack users via the CS API. Uses a caching mechanism to store a CloudStack user identity in Swift, so no database syncing is required. Leverage CloudStack’s user management instead of introducing an addition auth system.
    8. 8. W H AT D O ES ‘ C S _ AU T H ’ E N A B L E ? Implements role based ACL, including public access. Handles S3 requests via the ‘swift3’ middleware. Improved performance by using identity caching, not requiring the auth middleware to hit a 3rd party auth system via the network on every request. Works out of the box with common tools:  Cyberduck, Swift Bench, Swift Dispersion, Swift Recon
    9. 9. ‘ C S _ AU T H ’ R EQ U EST F LOW
    10. 10. A N ATO M Y O F ‘ C S _ AU T H ’token = hashlib.sha224(%s%s % (cs[secretkey], cs[apikey])).hexdigest()if self.reseller_prefix != :account_url = %s/v1/%s_%s % (self.storage_url, self.reseller_prefix, quote(cs[account]))else:account_url = %s/v1/%s % (self.storage_url, quote(cs[account]))identity = dict({ username:cs[username], account:cs[account], token:token, account_url:account_url, domain:dict({ id:cs[domainid], name:cs[domain] }), roles:[self.cs_roles[cs[accounttype]], cs[account]], expires:expires})
    11. 11. W H AT I S ‘ M AU T H ’ ? ‘mauth’ is a project we are working on with SwiftStack. ‘mauth’ reuses the 3rd party identity caching used in ‘cs_auth’, but implements it in an extensible way. Extensions could be written to enabling Swift auth support for ActiveDirectory, SAML, LDAP, etc… By default, ‘mauth’ includes an extension for authenticating against the CloudStack API.
    12. 12. W H AT A B O U T T H E SW I F T U SAG E ? Slogging is a production ready, open source usage logging middleware for Swift. Unfortunately the slogging logs are not usable by most billing systems. I developed the ‘swift_usage’ middleware for Swift to simplify the process of getting the usage data into a billing system.
    13. 13. H OW D O ES ‘ SW I F T _ U SAG E ’ WO R K ? ‘swift_usage’ is made up of two parts:  1. slogging log parser and processor.  2. a REST service to expose the usage data. The processor continually parses the logs and stores the usage data in mongodb objects. The REST service exposes the mongodb objects securely using an api_key and signature mechanism which is validated with a secret_key.
    14. 14. W H AT A B O U T A U I ? Custom development is required to integrate Swift into the CloudStack UI.
    15. 15. C H A L L E N G ES D E V E LO P I N G A U I Extending the CloudStack UI presents some challenges due to its single page implementation. Representing an object store as a file system has its own challenges. (managing pseudo folders, etc…) Uploading large files (> 50Mb) through the browser can cause unwanted behavior. Most browsers only support POST (not PUT), so uploading to a strict REST API requires preprocessing.
    16. 16. W H AT I S N E E D E D TO I N T EG R AT E ? Swift needs to authenticate CloudStack users to enable them to use the service.  Implemented via ‘cs_auth’ or ‘mauth’. Swift usage data needs to be made available to the billing implementation.  Implemented via ‘swift_usage’. Swift needs to be integrated into the CloudStack UI to enable the functionality for the CS users.  Requires custom development.
    17. 17. I S A N Y O F T H I S O P E N S O U RC E ? ‘cs_auth’, ‘mauth’ and ‘swift_usage’ are all open source and available for you to use. Get the source at: github.com/cloudops Learn more about CloudOps at: www.cloudops.com Follow us at: twitter.com/CloudOps_
    18. 18. +

    ×