keyrock and wilma - openstack-based identity management in fiware

KeyRock and WilmaOpenstack-based Identity Management in FIWARE

Joaquín Salvachúa - Álvaro Alonsojsalvachua@dit.upm.es - aalonsog@dit.upm.es

2

FIWARE

FIWARE is an innovative, open cloud-based infrastructure for cost-effective creation and delivery of Future Internet applications and services, at a scale not seen before.

These APIs are public and royalty-free, driven by the development of an open source reference implementation which accelerates the availability of commercial products and services based on FIWARE technologies.

More in • https://www.fiware.org• /https://www.fiware.org/formation

3

FIWARE Generic Enablers

Generic Enablers (GE) offer a number of general-purpose functions, offered through well-defined APIs, easing development of smart applications in multiple sectors. They will set the foundations of the architecture associated to your application.

Specifications of FIWARE GE APIs are public and royalty-free. You can search for the open source reference implementation, as well as alternative implementations, of each FIWARE GE in the FIWARE Reference Architecture.

4

5

FIWARE Community

http://map.fiware.org/

6

FIWARE Lab

http://infographic.lab.fiware.org/

7

FIWARE Lab & Cloud

Region 1

OS Service

Region 2

OS Service

Region n

OS Service

Cloud Portal Keyrock

DB

getCatalogue

8

FIWARE Lab & Cloud

Region 1

OS Service

Region 2

OS Service

Region n

OS Service

Cloud Portal Keyrock

DBrequest (token)

9

FIWARE Lab & Cloud

Region 1

OS Service

Region 2

OS Service

Region n

OS Service

Cloud Portal Keyrock

DBvalidate (token):service credentials

10

FIWARE Lab & Cloud

Region 1

OS Service

Region 2

OS Service

Region n

OS Service

Cloud Portal

Keyrock 2

DB

Keyrock 1HAProx

y

Keyrock architecture

Horizon• Fron-end component

• User views

Keystone• Back-end component

• Resources management

• Connection to data base

Horizon

Keystone

DB

Horizon extensions

Openstack Horizon

FIWARE UI

AuthZForce Driver

OAuth2 Driver

FIWARE Accounts

Admin tools

reCaptcha

Keystone extensions

Openstack Keystone

Keystone APISCIM 2.0

User Registration

Two factor auth

OAuth2

14

OAuth2

Cloud PortalOAuth2

Keyrock

15

OAuth2

Cloud PortalOAuth2

Keyrock

Keystone TOKEN TOKEN

Google Account

16

FIWARE Account

17

Account

FIWARE Account

Login with

19

OAuth2External applications

Cloud Portal

Keyrock

App 1 App 2

OAuth2OAuth2OAuth2

20

Token validation

Cloud PortalOAuth2

Keyrock

Keystone TOKEN

Region 1

OS Service

Keystone MiddlewareTOKEN Validation

21

Token validationExternal Applications

AppOAuth2

Keyrock

Keystone TOKEN

Backend service

WilmaTOKEN Validation

Wilma

Backend ServiceREST API

REST Client

Other services

HTTP request

Web App

User 1 User 2

Wilma

Backend ServiceREST API

REST Client

Other services

HTTP request + TOKEN

Web App

Wilma

User 1 User 2

Authentication

Backend ServiceREST API

HTTP request + TOKEN

Wilma

User

Keyrock GE

TOKEN

OK + user info

Authorization

Backend ServiceREST API

HTTP request + TOKEN

Wilma

User

Keyrock GE

OK + user info

TOKEN

AuthZForce GE

roles + verb + path

OK

26

AuthZForce

The other part in Policy Management

Wilma PEP• Policy Enforcement Point

AuthZForce PAP & PDP• Policy Administration Point• Policy Decision Point

FIWARE Lab Accounts

Basic• Manage organizations• Register applications• Use Cloud if other users authorize him

Trial• Cloud 14 days Trial period Cloud Project• Spain2 region

Community• Cloud during 9 months Cloud Project• Assigned region

FIWARE Lab Accounts

29

Private Regions Support

Goal• Support to private regions that wants to offer part of their Cloud resources to

FIWARE Lab users

The scenario

• FL user represent a user with a registered account in FIWARE Lab

• In FIWARE Lab environment, FL OS Services represent the services of all the Federated nodes• Private Cloud is a Commercial Cloud Provider that wants to offer some of its resources (part of Local OS

Services) to be available in FIWARE Lab as a new node.

• Private Cloud has their own users registered in its local Keystone (Ext User is one of them) and using Cloud resources deployed in Local OS Services

Keyrock

Cloud Portal

FIWARE Lab

FL OS

Services

FL User

Keystone

Horizon

Private Cloud

Local OS Services

Ext User

Requirements

• Ext User can continue using his deployed resources in Local OS Services using Horizon

• FL User (if he has the correct rights) can deploy resources in Private Cloud Local OS Services using Cloud Portal

• In Cloud Portal, Private Cloud node appears as a new node. It is accessible for FIWARE Lab users with quotas in that node (community users assigned to that node)

• Private Cloud infrastructure owners can assign quotas of Local OS Services to FIWARE Lab users (to their cloud projects)

• FL User can continue using FL OS Services as before.

• If a Ext User wants to use FIWARE Lab nodes resources, he has to create an account in FIWARE Lab.

Keyrock

Cloud Portal

FIWARE Lab

FL OS

Services

FL User

Keystone

Horizon

Private Cloud

Local OS Services

Ext User

Solution – FL User using FIWARE Lab resources

Everything works as always

1. Cloud Portal authenticates the user in Keyrock

2. Cloud Portal sends a request to an OS Service

3. OS Service validates the token with Keyrock

Keyrock

Cloud Portal

FIWARE Lab

FL OS

Services

FL User

Keystone

Horizon

Private Cloud

Local OS Services

Ext User

12

3

Solution – Ext User using Local resources

Everything works as always

1. Horizon authenticates the user in Keystone

2. Horizon sends a request to an OS Service

3. OS Service validates the token with Keystone

Keyrock

Cloud Portal

FIWARE Lab

FL OS

Services

FL User

Keystone

Horizon

Private Cloud

Local OS Services

Ext User

12

3

Solution – FL User using Private Cloud resources

1. Cloud Portal authenticates the user in Keyrock

2. Cloud Portal sends a request to a Private Cloud OS Service

3. Private Cloud OS Service tries to validate the token in Keystone

4. As the validation doesn’t success (the token is not stored in Keystone), Keystone validates it with Keyrock acting as a gateway and sending the response to Private Cloud OS Service

*. If the validation success, Keystone stores the token locally (in cache), so the next times the step 4 is not required.

Keyrock

Cloud Portal

FIWARE Lab

FL OS

Services

FL User

Keystone

Horizon

Private Cloud

Local OS Services

Ext User

1

2

4

3

Token driver

IoT Support

Context Broker

Sensor authentication

update / query

Context Producer / Consumer

PEP Proxy

Keyrock GE

Token creation

Token validation

37

Conclusions

Evolution and integration between OpenStack and a IDM.

Evolution in Open Source (development by UPM in the proyect).

Identity solution widely used among all the startups ( Most used GE ).

Goal to have it integrated in different susteniable ecosystems: • Full integration with OpenStack.

38

Important Links

FIWARE• https://www.fiware.org/

FIWARE Lab• https://account.lab.fiware.org/

Keyrock• http://catalogue.fiware.org/enablers/identity-management-keyrock

Wilma• http://catalogue.fiware.org/enablers/pep-proxy-wilma

AuthZForce• http://catalogue.fiware.org/enablers/authorization-pdp-authzforce

39

Opensource projects

Keyrock• https://github.com/ging/fiware-idm• Horizon fork: https://github.com/ging/horizon• Keystone fork: https://github.com/ging/keystone

Wilma• https://github.com/ging/fiware-pep-proxy

AuthZForce

KeyRock and WilmaOpenstack-based Identity Management in FIWARE

Joaquín Salvachúa - Álvaro Alonsojsalvachua@dit.upm.es - aalonsog@dit.upm.es