Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Quantum RBAC

1,112 views

Published on

D

Published in: Technology, Business
  • Be the first to comment

Quantum RBAC

  1. 1. RBAC for Quantumhttp://etherpad.openstack.org/QuantumRBAC<br />Tuesday, October 4 12.00 PM<br />Openstack “Essex” design summitBoston – October 3-5 2001<br />Netstack track<br />
  2. 2. Agenda<br />Current status<br />RBAC use cases<br />Outcome from Keystone RBAC session<br />Open discussion<br />
  3. 3. Current status<br />No Authentication/No Authorization<br />Unofficially:<br />Authentication provided by Keystone<br />Simple Authorization performed with data returned by Keystone<br />Issue: AuthZ requires expressing predicates on resources outside Quantum boundaries<br />E.g.: the VIF, which is managed by Nova<br />
  4. 4. Relevant Use Cases for RBAC<br />Public and ‘community’ networks<br />Networks which are owned by a specific tenant, but are accessible to other tenants as well<br />Distinct roles within tenants<br />Standard user / network administrator<br />‘Service’ resources<br />Some interfaces might belong to services which are inserted by the Cloud Service Provider<br />Recalls yesterday’s discussion<br />Something missing?<br />
  5. 5. Public/Community networks<br />Definition: A network on which several tenants can plug their own interfaces, but is nevertheless always ‘owned’ by a single tenant<br />Implementation:<br />Simple way: the service provider acts as a tenant<br />Single public network per deployment<br />Bit more complex way: service provider defines and own several ‘public networks’<br />E.g.: each network has different QoS/security attributes<br />Even more complex way: tenants can delegate access to their network to other tenants<br />
  6. 6. Multiple roles within tenants<br />A tenant can define several users<br />Keystone already allows this<br />Users are not all equals<br />Keystone uses roles for handling this<br />Introducing user roles in Quantum:<br />Associating roles with base and extended operations<br />‘Fixed’ roles<br />Fully customizable roles<br />
  7. 7. Authorizing ‘Service’ interfaces<br />Use case highlighted in Edgar’s session on Monday<br />
  8. 8. Outcome of Keystone RBAC session<br />?<br />
  9. 9. Implementation<br />Current proposal available here:<br />http://wiki.openstack.org/QuantumAuthSpec <br />
  10. 10. Follow-up actions<br />Prioritize use cases<br />Decide on an implementation strategy for each use case<br />Associate tasks with names!<br />

×