cis14: identity in openstack icehouse
DESCRIPTION
David Waite, Ping Identity Overview of the OpenStack project, in particular the Keystone subproject responsible for identity, how to leverage the features in the newest OpenStack release for your own usage for tying into external identity systems, and some of the potential directions that OpenStack could take in the future.TRANSCRIPT
![Page 1: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/1.jpg)
IDENTITY AND OPENSTACK ICEHOUSE
David Waite
Technical Architect, Ping Labs
Ping Identity
1
![Page 2: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/2.jpg)
Contents
2
• What is OpenStack • What components are in OpenStack
• Keystone, the Identity component of OpenStack • Tokens • Integration • Federation
• What's coming?
![Page 3: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/3.jpg)
What is OpenStack?
3
• Cloud Computing Platform • Infrastructure-as-a-Service • Used for private and public clouds • Multi-tenant (project)
![Page 4: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/4.jpg)
What is OpenStack?
4
• Strives for Openness: • Source • Standards • Design • Development • Community
• Modular architecture promoting individual projects
![Page 5: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/5.jpg)
Who uses OpenStack?
5
• Targeting service offerings, enterprises, and government/academic institutions • Industries like IT, telco, SaaS, Finance and Healthcare • Name Dropping • Paypal, Best Buy, Comcast, CERN
https://www.openstack.org/user-stories/
![Page 6: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/6.jpg)
Cloud Stack
6
![Page 7: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/7.jpg)
Continuum
7
![Page 8: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/8.jpg)
Cloud Environments
8
![Page 9: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/9.jpg)
OpenStack Architecture
9
What does OpenStack Provide?
!10
Function Purpose
Compute Virtual Machines, management of underlying CPU/Memory usage (EC2)
Network Software Defined Networking and Load Balancing
Storage Object and Block storage (EC2/EBS, Azure Blob Storage)
Image Virtual Machine image management
Telemetry Metrics on usage of infrastructure resources
Dashboard User Interface for controlling/inspecting infrastructure
Database Database as a Service
Identity Manage API and administrative access to everything else
![Page 10: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/10.jpg)
Identity, AKA Keystone
10
• Identity Services for all of OpenStack • Authentication • Coarse authorization
• Facade for existing identity systems • Token-based access
• Catalog of service endpoints • Policy storage for RBAC
![Page 11: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/11.jpg)
Security of Tiers Differ
11
![Page 12: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/12.jpg)
Integration
12
• OpenStack supports several integration options • User Directories • LDAP (read-only and read-write) • SQL • Key-Value Store
• Authentication • Password • External via HTTP Server (X.509, Kerberos, SAML)
![Page 13: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/13.jpg)
Keystone Tokens
13
• Represents authorization • Scoped to a Project* • Bearer tokens only
• All API Secured with Tokens
![Page 14: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/14.jpg)
Keystone Tokens
14
• Two formats • Opaque (UUID) • Structured (PKI)
• Limited Lifetime (1 - 24hr) • No token refresh • Revocable
![Page 15: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/15.jpg)
Authentication
15
![Page 16: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/16.jpg)
Token
16
![Page 17: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/17.jpg)
Typical API call
17
![Page 18: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/18.jpg)
Federation
18
• Icehouse now supports SAML • Via the Shibboleth Open Source project
• SAML Web SSO and ECP (Enhanced Client) profiles
• No Web UI support • Exchange SAML for token
![Page 19: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/19.jpg)
Hybrid Cloud
19
![Page 20: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/20.jpg)
Hybrid Cloud Uses
20
• Grow from Private to Public cloud • Seasonal Load or Dynamic Load
• Migrate resources between Private/Public cloud • Sharing relationships across Private infrastructure
![Page 21: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/21.jpg)
What’s Coming (with Caveats)
21
• Domain-specific Authentication Drivers • SAML SSO Support for Horizon • Administrators logging into console with
Federation • OpenID Connect support • Alternate (social) protocol for SSO
![Page 22: CIS14: Identity in OpenStack Icehouse](https://reader033.vdocuments.net/reader033/viewer/2022042713/5483ff2a5906b5c1158b46cc/html5/thumbnails/22.jpg)
22
Questions?