IDENTITY AND OPENSTACK ICEHOUSE
David Waite
Technical Architect, Ping Labs
Ping Identity
1
Contents
2
• What is OpenStack • What components are in OpenStack
• Keystone, the Identity component of OpenStack • Tokens • Integration • Federation
• What's coming?
What is OpenStack?
3
• Cloud Computing Platform • Infrastructure-as-a-Service • Used for private and public clouds • Multi-tenant (project)
What is OpenStack?
4
• Strives for Openness: • Source • Standards • Design • Development • Community
• Modular architecture promoting individual projects
Who uses OpenStack?
5
• Targeting service offerings, enterprises, and government/academic institutions • Industries like IT, telco, SaaS, Finance and Healthcare • Name Dropping • Paypal, Best Buy, Comcast, CERN
https://www.openstack.org/user-stories/
Cloud Stack
6
Continuum
7
Cloud Environments
8
OpenStack Architecture
9
What does OpenStack Provide?
!10
Function Purpose
Compute Virtual Machines, management of underlying CPU/Memory usage (EC2)
Network Software Defined Networking and Load Balancing
Storage Object and Block storage (EC2/EBS, Azure Blob Storage)
Image Virtual Machine image management
Telemetry Metrics on usage of infrastructure resources
Dashboard User Interface for controlling/inspecting infrastructure
Database Database as a Service
Identity Manage API and administrative access to everything else
Identity, AKA Keystone
10
• Identity Services for all of OpenStack • Authentication • Coarse authorization
• Facade for existing identity systems • Token-based access
• Catalog of service endpoints • Policy storage for RBAC
Security of Tiers Differ
11
Integration
12
• OpenStack supports several integration options • User Directories • LDAP (read-only and read-write) • SQL • Key-Value Store
• Authentication • Password • External via HTTP Server (X.509, Kerberos, SAML)
Keystone Tokens
13
• Represents authorization • Scoped to a Project* • Bearer tokens only
• All API Secured with Tokens
Keystone Tokens
14
• Two formats • Opaque (UUID) • Structured (PKI)
• Limited Lifetime (1 - 24hr) • No token refresh • Revocable
Authentication
15
Token
16
Typical API call
17
Federation
18
• Icehouse now supports SAML • Via the Shibboleth Open Source project
• SAML Web SSO and ECP (Enhanced Client) profiles
• No Web UI support • Exchange SAML for token
Hybrid Cloud
19
Hybrid Cloud Uses
20
• Grow from Private to Public cloud • Seasonal Load or Dynamic Load
• Migrate resources between Private/Public cloud • Sharing relationships across Private infrastructure
What’s Coming (with Caveats)
21
• Domain-specific Authentication Drivers • SAML SSO Support for Horizon • Administrators logging into console with
Federation • OpenID Connect support • Alternate (social) protocol for SSO
22
Questions?