Upload
cloudidsummit
View
492
Download
6
Embed Size (px)
DESCRIPTION
David Waite, Ping Identity Overview of the OpenStack project, in particular the Keystone subproject responsible for identity, how to leverage the features in the newest OpenStack release for your own usage for tying into external identity systems, and some of the potential directions that OpenStack could take in the future.
Citation preview
IDENTITY AND OPENSTACK ICEHOUSE
David Waite
Technical Architect, Ping Labs
Ping Identity
1
Contents
2
• What is OpenStack • What components are in OpenStack
• Keystone, the Identity component of OpenStack • Tokens • Integration • Federation
• What's coming?
What is OpenStack?
3
• Cloud Computing Platform • Infrastructure-as-a-Service • Used for private and public clouds • Multi-tenant (project)
What is OpenStack?
4
• Strives for Openness: • Source • Standards • Design • Development • Community
• Modular architecture promoting individual projects
Who uses OpenStack?
5
• Targeting service offerings, enterprises, and government/academic institutions • Industries like IT, telco, SaaS, Finance and Healthcare • Name Dropping • Paypal, Best Buy, Comcast, CERN
https://www.openstack.org/user-stories/
Cloud Stack
6
Continuum
7
Cloud Environments
8
OpenStack Architecture
9
What does OpenStack Provide?
!10
Function Purpose
Compute Virtual Machines, management of underlying CPU/Memory usage (EC2)
Network Software Defined Networking and Load Balancing
Storage Object and Block storage (EC2/EBS, Azure Blob Storage)
Image Virtual Machine image management
Telemetry Metrics on usage of infrastructure resources
Dashboard User Interface for controlling/inspecting infrastructure
Database Database as a Service
Identity Manage API and administrative access to everything else
Identity, AKA Keystone
10
• Identity Services for all of OpenStack • Authentication • Coarse authorization
• Facade for existing identity systems • Token-based access
• Catalog of service endpoints • Policy storage for RBAC
Security of Tiers Differ
11
Integration
12
• OpenStack supports several integration options • User Directories • LDAP (read-only and read-write) • SQL • Key-Value Store
• Authentication • Password • External via HTTP Server (X.509, Kerberos, SAML)
Keystone Tokens
13
• Represents authorization • Scoped to a Project* • Bearer tokens only
• All API Secured with Tokens
Keystone Tokens
14
• Two formats • Opaque (UUID) • Structured (PKI)
• Limited Lifetime (1 - 24hr) • No token refresh • Revocable
Authentication
15
Token
16
Typical API call
17
Federation
18
• Icehouse now supports SAML • Via the Shibboleth Open Source project
• SAML Web SSO and ECP (Enhanced Client) profiles
• No Web UI support • Exchange SAML for token
Hybrid Cloud
19
Hybrid Cloud Uses
20
• Grow from Private to Public cloud • Seasonal Load or Dynamic Load
• Migrate resources between Private/Public cloud • Sharing relationships across Private infrastructure
What’s Coming (with Caveats)
21
• Domain-specific Authentication Drivers • SAML SSO Support for Horizon • Administrators logging into console with
Federation • OpenID Connect support • Alternate (social) protocol for SSO
22
Questions?