CIS14: Identity in OpenStack Icehouse

992 views

Published on

David Waite, Ping Identity
Overview of the OpenStack project, in particular the Keystone subproject responsible for identity, how to leverage the features in the newest OpenStack release for your own usage for tying into external identity systems, and some of the potential directions that OpenStack could take in the future.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
992
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS14: Identity in OpenStack Icehouse

  1. 1. IDENTITY AND OPENSTACK ICEHOUSE David Waite Technical Architect, Ping Labs Ping Identity 1
  2. 2. Contents 2 • What is OpenStack • What components are in OpenStack • Keystone, the Identity component of OpenStack • Tokens • Integration • Federation • What's coming?
  3. 3. What is OpenStack? 3 • Cloud Computing Platform • Infrastructure-as-a-Service • Used for private and public clouds • Multi-tenant (project)
  4. 4. What is OpenStack? 4 • Strives for Openness: • Source • Standards • Design • Development • Community • Modular architecture promoting individual projects
  5. 5. Who uses OpenStack? 5 • Targeting service offerings, enterprises, and government/ academic institutions • Industries like IT, telco, SaaS, Finance and Healthcare • Name Dropping • Paypal, Best Buy, Comcast, CERN https://www.openstack.org/user-stories/
  6. 6. Cloud Stack 6
  7. 7. Continuum 7
  8. 8. Cloud Environments 8
  9. 9. OpenStack Architecture 9 What does OpenStack Provide? !10 Function Purpose Compute Virtual Machines, management of underlying CPU/Memory usage (EC2) Network Software Defined Networking and Load Balancing Storage Object and Block storage (EC2/EBS,Azure Blob Storage) Image Virtual Machine image management Telemetry Metrics on usage of infrastructure resources Dashboard User Interface for controlling/inspecting infrastructure Database Database as a Service Identity Manage API and administrative access to everything else
  10. 10. Identity, AKA Keystone 10 • Identity Services for all of OpenStack • Authentication • Coarse authorization • Facade for existing identity systems • Token-based access • Catalog of service endpoints • Policy storage for RBAC
  11. 11. Security of Tiers Differ 11
  12. 12. Integration 12 • OpenStack supports several integration options • User Directories • LDAP (read-only and read-write) • SQL • Key-Value Store • Authentication • Password • External via HTTP Server (X.509, Kerberos, SAML)
  13. 13. Keystone Tokens 13 • Represents authorization • Scoped to a Project* • Bearer tokens only • All API Secured with Tokens
  14. 14. Keystone Tokens 14 • Two formats • Opaque (UUID) • Structured (PKI) • Limited Lifetime (1 - 24hr) • No token refresh • Revocable
  15. 15. Authentication 15
  16. 16. Token 16
  17. 17. Typical API call 17
  18. 18. Federation 18 • Icehouse now supports SAML • Via the Shibboleth Open Source project • SAML Web SSO and ECP (Enhanced Client) profiles • No Web UI support • Exchange SAML for token
  19. 19. Hybrid Cloud 19
  20. 20. Hybrid Cloud Uses 20 • Grow from Private to Public cloud • Seasonal Load or Dynamic Load • Migrate resources between Private/Public cloud • Sharing relationships across Private infrastructure
  21. 21. What’s Coming (with Caveats) 21 • Domain-specific Authentication Drivers • SAML SSO Support for Horizon • Administrators logging into console with Federation • OpenID Connect support • Alternate (social) protocol for SSO
  22. 22. 22 Questions?

×