Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Identity in OpenStack: the Challenge of Multitenancy

Keystone is the OpenStack component responsible for identity management and
user authentication and authorization, which has unique challenges in
cloud-like environments where secure sharing of resources is an essential
requirement and yet is fundamental to the core idea of collaborative
computing. This introductory talk will give an overview of the keystone
project, including:

* The many ways users and applications can securely authenticate with
keystone, including SAML2.0, OpenID Connect, X.509 and Kerberos
* The implications for authorization in a multitenant environment and how
role-based access control is designed in keystone
* How keystone relates to projects outside of the OpenStack ecosystem such as
Kubernetes

  • Login to see the comments

Identity in OpenStack: the Challenge of Multitenancy

  1. 1. Identity in OpenStack Colleen Murphy cmurphy/@cmurpheus The Challenges of Multitenancy
  2. 2. who am I? Cloud Engineer at SUSE OpenStack contributor Project Team Lead for OpenStack Keystone cmurphy/@cmurpheu s
  3. 3. what is this talk about? introduction to keystone consequences of multitenancy cmurphy/@cmurpheu s
  4. 4. The Principles of Cloud multitenancy self-service cmurphy/@cmurpheu s
  5. 5. multitenancy collaboration in isolation secure sharing of physical resources cmurphy/@cmurpheu s
  6. 6. self-service user autonomy automatable discovery cmurphy/@cmurpheu s
  7. 7. what is OpenStack? open source cloud platform Infrastructure as a Service virtualization cmurphy/@cmurpheu s
  8. 8. cmurphy/@cmurpheu s
  9. 9. what is keystone? identity authentication authorization discovery cmurphy/@cmurpheu s
  10. 10. discovery entrypoint into the cloud bridge between components cmurphy/@cmurpheu s
  11. 11. $ openstack catalog list +-------------+----------------+---------------------------------------------------------------+ | Name | Type | Endpoints | +-------------+----------------+---------------------------------------------------------------+ | nova | compute | eu-central-1 | | | | internal: https://198.51.100.42:8774/v2.1 | | | | eu-central-1 | | | | public: https://public.cloud.example.de:8774/v2.1 | | | | | | glance | image | eu-central-1 | | | | public: https://public.cloud.example.de:9292 | | | | eu-central-1 | | | | internal: https://198.51.100.42:9292 | | | | | | swift | object-store | eu-central-1 | | | | internal: https://198.51.100.42:8081/swift/v1 | | | | eu-central-1 | | | | public: https://engcloud-swift.cloud.suse.de:8081/swift/v1 | | | | | | keystone | identity | eu-central-1 | | | | internal: https://198.51.100.42:5000/v3/ | | | | eu-central-1 | | | | public: https://public.cloud.example.de:5000/v3 | | | | | | cinder | volume | eu-central-1 | | | | internal: https://198.51.100.42:8776/v3 | | | | eu-central-1 | | | | public: https://public.cloud.example.de:8776/v3 | | | | | | neutron | network | eu-central-1 | | | | public: https://public.cloud.example.de:9696/ | | | | eu-central-1 | | | | internal: https://198.51.100.42:9696/ | | | | | +-------------+----------------+---------------------------------------------------------------+ cmurphy/@cmurpheu s
  12. 12. identity storage broker cmurphy/@cmurpheu s
  13. 13. authentication token service • fernet • JWT • SAML2.0 cmurphy/@cmurpheu s
  14. 14. cmurphy/@cmurpheu s
  15. 15. keystone-native authentication password application credential totp (MFA) cmurphy/@cmurpheu s
  16. 16. external authentication x.509 kerberos cmurphy/@cmurpheu s
  17. 17. federated authentication SAML2.0 OpenID Connect cmurphy/@cmurpheu s
  18. 18. authorization "scoped" role-based access control role definitions owned by each component cmurphy/@cmurpheu s
  19. 19. roles and policies role names created in keystone role meaning defined by policy rules cmurphy/@cmurpheu s
  20. 20. # List all servers # GET /servers "os_compute_api:servers:index": "role:admin or project_id:%(project_id)s" # Show a server # GET /servers/{server_id} "os_compute_api:servers:show": "role:admin or project_id:%(project_id)s" # Create a server # POST /servers "os_compute_api:servers:create": "role:admin or project_id:%(project_id)s" # Delete a server # DELETE /servers/{server_id} "os_compute_api:servers:delete": "role:admin or project_id:%(project_id)s" # Update a server # PUT /servers/{server_id} "os_compute_api:servers:update": "role:admin or project_id:%(project_id)s" # Reboot a server # POST /servers/{server_id}/action (reboot) "os_compute_api:servers:reboot": "role:admin or project_id:%(project_id)s" # Start a server # POST /servers/{server_id}/action (os-start) #"os_compute_api:servers:start": "role:admin or project_id:%(project_id)s" # Stop a server # POST /servers/{server_id}/action (os-stop) "os_compute_api:servers:stop": "role:admin or project_id:%(project_id)s" cmurphy/@cmurpheu s
  21. 21. scope project domain system cmurphy/@cmurpheu s
  22. 22. assignments user A has role B on project C cmurphy/@cmurpheu s
  23. 23. cmurphy/@cmurpheu s
  24. 24. "Not only does the entire system need to be aware of identities, roles, and assignment, but it also needs to properly account for scope of specific operations." http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-security-roadmap.html cmurphy/@cmurpheu s
  25. 25. problem #1: bug 968696 security hole that violates the Principle of Least Privilege https://bugs.launchpad.net/keystone/+bug/968696 cmurphy/@cmurpheu s
  26. 26. problem #2: no discovery no way to answer the question "what role do I need for this operation?" cmurphy/@cmurpheu s
  27. 27. problem #3: no self-service role definitions controlled by cloud operator cmurphy/@cmurpheu s
  28. 28. keystone beyond OpenStack identity and authentication • ceph • kubernetes authorization? • ... discovery? • ... cmurphy/@cmurpheu s
  29. 29. what's next? proxy identity provider system scope everywhere quotas cmurphy/@cmurpheu s
  30. 30. The Principles of Cloud multitenancy self-service cmurphy/@cmurpheu s
  31. 31. The Principles of Cloud multitenancy collaboration self-service automation cmurphy/@cmurpheu s
  32. 32. freenode: #openstack-keystone email: openstack-discuss@lists.openstack.org (subject tag [keystone])
  33. 33. questions? cmurphy/@cmurpheus

×