OpenStack Security


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OpenStack Security

  1. 1. IBM Security SystemsOpenStack SecuritySreekanth IyerExecutive IT ArchitectIBM Security Systems© 2013 IBM Corporation1 © 2013 IBM Corporation
  2. 2. IBM Security SystemsOpenStack - Core Projects / Components Compute (Nova) – Provision and manage virtual machines Dashboard (Horizon) – Self-service portal Image (Glance) – Catalog and manage server images Identity (Keystone) – Unified authentication, integrates with existing systems Object Storage (Swift) – petabytes of secure, reliable object storageSource: © 2013 IBM Corporation
  3. 3. IBM Security SystemsKeystone (Identity Service) offers project-wide identity, token, servicecatalog, and policy service designed for integrate with existing systems Core Use Cases: • Authenticate user / password requests against multiple backends (SQL, LDAP, etc) (Identity Service) • Validates / manages tokens used after initial username/password verification (Token Service) • Endpoint registry of available services (Service Catalog) • Authorize API requests (Policy Service) Key Capabilities: • User / Tenant model with Role-Based Access Control • Policy service provides a rule-based authorization engine and the associated rule management interface. • Each service configured to serve data from pluggable backend (Key-Value, SQL, PAM, LDAP, Templates) • REST-based APIs3 © 2013 IBM Corporation
  4. 4. IBM Security SystemsBasic Concepts The Identity service has two primary functions: –User management: keep track of users and what they are permitted to do –Service catalog: Provide a catalog of what services are available and where their API endpoints are located4 © 2013 IBM Corporation
  5. 5. IBM Security SystemsIdentity Service – Key terms Token A token is an arbitrary bit of text that is used toUser access resource which is valid for a finite duration A digital representation of a person, system, or and can be revoked at anytime service Tenant Users have a login and may be assigned tokens to A container used to group or isolate resources access resources. and/or identity objects. Depending on the service Users may be directly assigned to a particular operator, a tenant may map to a customer, account, tenant organization, or project.Credentials Service Data that belongs to, is owned by, and generally An OpenStack service, such as Compute (Nova), only known by a user that the user can present to Object Storage (Swift), or Image Service (Glance). prove they are who they are for example – A service provides one or more endpoints through username/password which users can access resources and perform (presumably useful) operations.Authentication Endpoint Validate the user claims like a set of credentials (username& password, or username and API key). An network-accessible address, usually described by URL, where a service may be accessed. After initial confirmation, Keystone will issue the user a token which the user can then provide to Role demonstrate that their identity has been A personality that a user assumes when performing authenticated when making subsequent requests. a specific set of operations. A role includes a set of right and privileges. Source : © 2013 IBM Corporation
  6. 6. IBM Security SystemsIdentity Service – Key ConceptsIdentity Management RBAC Tenant -> User -> [ Credential | Token | Role ] OpenStack has a configurable RBAC system that Tenants have Users. Users can belong to many can be used to customize API access by Role. tenants. Users authenticate using a Credential and get a Role is given to a user in Keystone. time-scoped Token. Tenant + User pairs can have many roles. The API access is defined by a policy.json file that is specific to each project (Nova example).Service "Catalog" Service -> Endpoint In Keystone, a token that is issued to a user Services (e.g. Compute, Object Storage, Image includes the list of roles that user can assume. Service) have many Endpoints. Endpoints are typically a URL + where it is accessible from (e.g. Services that are being called by that user internal, public) determine how they interpret the set of roles a user has and which operations or resources each roles grants access to.6 © 2013 IBM Corporation
  7. 7. IBM Security SystemsKeystone Workflow © 2013 IBM Corporation
  8. 8. IBM Security Systems Configuring Services to work with KeystoneOnce Keystone is installed and running, services need to be configured to work with it.In general: Clients making calls to the service will pass in an authentication token. The Keystone middleware will look for and validate that token, taking the appropriate action. It will also retrieve additional information from the token such as user name, id, tenant name, id, roles, etc... The middleware will pass those data down to the service as headers.Keystone Auth-Token Middleware The Keystone auth_token middleware is a WSGI component that can be inserted in the WSGI pipeline to handle authenticating tokens with Keystone.Configuring Keystone for an LDAP backend It is possible to connect an LDAP backend with the Identity service Keystone.8 © 2013 IBM Corporation
  9. 9. IBM Security SystemsKeystone APIs Token Operations User Operations Tenant Operations9 © 2013 IBM Corporation
  10. 10. IBM Security SystemsKeystone – Observations & Enhancements Integration with enterprise security systems Support for Security Standards & Federation – Need to support external services for Authentication and Authorization i.e. OAuth, SAML and OpenID Audit, Compliance & Governance – Current logging mostly focused on debugging and monitoring; Need automated way to provide audit and assessment data Scalability and Performance – Need to scale and perform for enterprise grade deployments Support for Multi-tenancy & Keystone Domains10 © 2013 IBM Corporation