ukc - msc project - providing moonshot access to openstack
DESCRIPTION
TRANSCRIPT
Providing Moonshot access to OpenStack
Supervisor: David Chadwick
Vincent Giersch - vg66MSc Computer Security - University of Kent
Moonshot
Contents• Moonshot overview• OpenStack overview• Providing Moonshot access to OpenStack
• Federated Keystone• How it will work ?• Technical architecture
• Roadmap• Questions
Moonshot Overview
Moonshot
Federated authentication and authorizationMoonshot
For web and non-web services and applications
Example: IE à Apache
Moonshot
Source: Janet
Example: PuTTY à OpenSSH
Moonshot
Source: Janet
Moonshot is built on:• Strong authentication: EAP/RADIUS• Strong authorisation: SAML• Easy service/application integration: SASL/GSS-API
Moonshot technologies
Standardisation approaching completion within the Internet Engineering Task Force (IETF)
Moonshot
OpenStack Overview
Starting the virtualization...
Source: OpenStack Foundation
Starting the virtualization...
Host 2 Host 3 Host 4, etc.Host 1
Hypervisor(VMWare ESX, Citrix XEN Server, KVM, etc.)
Source: OpenStack Foundation
Hardware abstraction for each server
... but how to manage the resources ?
Provisioning ? User management ?
Add the missing cloud management layer
CreatesPools of Resources
APIs Self-service for users
Automates deployment
Applications
ComputeNova
StorageSwift
NetworkQuantum
Standard Hardware
IdentityKeystone
APIs
Main components of OpenStack
Moonshot +
Federated Keystone
Allows to use external Identity Providers (IdP)
Easy user provisioning
Provides Single Sign On (SSO) to the users
Developed as a Keystone middleware
How it will work ?
How it will work ?
User Keystone
Asks a list of Identity providers
How it will work ?
User Keystone
Returns the Identity Providers available
How it will work ?
User Keystone
Chooses a IdP (Moonshot)
How it will work ?
User Keystone
ReturnsMoonshot details
How it will work ?
User Keystone
Chooses the identity that he will use
How it will work ?
User Keystone Identity Provider
Negotiate authentication
How it will work ?
User Keystone
Returnslist of tenants
How it will work ?
User Keystone
Chooses a tenant
How it will work ?
User Keystone
Returnsa tenant token
How it will work ?
User Keystone
Technical architecture
OpenStack Keystone Identity ProviderOpenStack Client
Technical architecture
Federated Keystone
OpenStack Keystone Identity ProviderOpenStack Client
Federated KeystoneHTTP
Technical architecture
Federated Keystone
Moonshot module
OpenStack Keystone Identity ProviderOpenStack Client
Federated KeystoneHTTP
Moonshot module
Technical architecture
Federated Keystone
Moonshot module
GSS-API AAA
OpenStack Keystone Identity Provider
AAA
OpenStack Client
Federated Keystone
GSS-API
HTTP
GSSEAP mech
AAAtransportMoonshot module
Technical architecture
Federated Keystone
Moonshot module
GSS-API AAA
OpenStack Keystone Identity Provider
AAA
OpenStack Client
Federated Keystone
GSS-API
EAP peer
HTTP
EAP server
GSSEAP mech
EAP method
AAAtransportMoonshot module
Project roadmap• Study of the existing Moonshot implementations (e.g. Apache / Firefox).
• Fork the PyKerberos library to add flexibility in the usage of the GSS-API C library.
• Study of the potential needed improvements of the Keystone Federated protocol.
• Implement the authentication / authorization Moonshot module.
• Validation testing using a OpenStack client (e.g. python-swiftclient).
Questions ?
Vincent Giersch - vg66
Moonshot