SlideShare uma empresa Scribd logo

Cloudproject

Transferir como PPTX, PDF
A
anushv24
Tecnologia
1 de 8
By- Anush V Meghana Prashanth Pramod Ramesh Ashwin Sethi
Introduction  Openstack is an open source cloud service implementation  Keystone is the security module of Openstack  Current authorization system implemented in keystone is single-tenant  Multi-tenancy support is defined as the capability of a single software instance to provide its service to several parties simultaneously  Our objective is to convert this single tenant system into a multi-tenant one
 Current implementations of authorization is based on a 3 tuple implementation namely (Subject, Privilege, Object)  This needs to be changed to incorporate multi-tenancy  The basic multi-tenant system would have a structure in the form of a 5 tuple namely (Issuer, Subject, Privilege, Interface, Object)  This implementation though useful is not enough  We try to use a RBAC incorporated implementation  This new model which has RBAC changes the 5 tuple to (Issuer, role(Issuer, RoleName), Privilege, Interface, Object)
(IssuerA, role(IssuerB, users), Read, ServiceA.1, root) is interpreted as IssuerA grants anybody with role(IssuerB, users) Read access to the root folder of the file system provided by ServiceA.1.
Keystone Layout  Keystone directories were found in the following locations  /opt/stack  This contained all the necessary python modules to keep keystone running including the policy engine  /var/lib  This contained the keystone.db file used to initialise the backend  /usr/share  This contained shell files to automatically crate new users in opentack  /etc  This contained the keystone.conf file and the default catalog templates file
Policy Trace  Once an access is made to any protected resource the authorization entry point is in rules.py  enforce()  common.policy.enforce()  Brain.check()  _check()  _check_rule() or _check_role() or _check_service() or _check_generic() depending on the match in the rules dictionary.  These functions recursively call Brain.check() to help matches nesting of rules appropriately.
Our Implementation  To implement the 5 tuple we add the following to the current implementation  The Service as a part of both the cred_dict and rules_dict  The role is now a 2 tuple mapping between issuer and name of the role, again this is added to both cred_dict and rules_dict  New function called _check_service is implemented  Access is allowed only if all the elements in the match_list match that of the cred_dict
Thank You

Recomendados

Security
SecuritySecurity
Security
naniix21_3
 
Elastic search
Elastic searchElastic search
Elastic search
Vinaykumar Hebballi
 
Servlet 03
Servlet 03Servlet 03
Servlet 03
Bharat777
 
Servlet session 9
Servlet session 9Servlet session 9
Servlet session 9
Anuj Singh Rajput
 
Servlet session 6
Servlet session 6Servlet session 6
Servlet session 6
Anuj Singh Rajput
 
System settings api
System settings apiSystem settings api
System settings api
htyson
 
Dagger1
Dagger1Dagger1
Dagger1
Ramesh Akula
 
Multiprocessing.pptx
Multiprocessing.pptxMultiprocessing.pptx
Multiprocessing.pptx
MaheshGour5
 

Recomendados

Security
SecuritySecurity
Security
naniix21_3
 
Elastic search
Elastic searchElastic search
Elastic search
Vinaykumar Hebballi
 
Servlet 03
Servlet 03Servlet 03
Servlet 03
Bharat777
 
Servlet session 9
Servlet session 9Servlet session 9
Servlet session 9
Anuj Singh Rajput
 
Servlet session 6
Servlet session 6Servlet session 6
Servlet session 6
Anuj Singh Rajput
 
System settings api
System settings apiSystem settings api
System settings api
htyson
 
Dagger1
Dagger1Dagger1
Dagger1
Ramesh Akula
 
Multiprocessing.pptx
Multiprocessing.pptxMultiprocessing.pptx
Multiprocessing.pptx
MaheshGour5
 
Qtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skillQtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skill
siva1991
 
Enabling Security For ActiveMQ JMX Access
Enabling Security For ActiveMQ JMX AccessEnabling Security For ActiveMQ JMX Access
Enabling Security For ActiveMQ JMX Access
Ramakrishna Narkedamilli
 
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Lucidworks
 
Database connectivity in asp.net
Database connectivity in asp.netDatabase connectivity in asp.net
Database connectivity in asp.net
baabtra.com - No. 1 supplier of quality freshers
 
ASP.NET- database connectivity
ASP.NET- database connectivityASP.NET- database connectivity
ASP.NET- database connectivity
baabtra.com - No. 1 supplier of quality freshers
 
ASP.NET Session 11 12
ASP.NET Session 11 12ASP.NET Session 11 12
ASP.NET Session 11 12
Sisir Ghosh
 
T-SQL & Triggers
T-SQL & TriggersT-SQL & Triggers
T-SQL & Triggers
Ayesha Maqsood
 
iOS training (advanced)
iOS training (advanced)iOS training (advanced)
iOS training (advanced)
Gurpreet Singh Sachdeva
 
OpenStack London Meetup, 18 Nov 2015
OpenStack London Meetup, 18 Nov 2015OpenStack London Meetup, 18 Nov 2015
OpenStack London Meetup, 18 Nov 2015
Jesse Pretorius
 
Etiqueta de jabon "JC"
Etiqueta de jabon "JC"Etiqueta de jabon "JC"
Etiqueta de jabon "JC"
Hanzo Hasashi
 
A Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process ExecutionsA Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process Executions
Srinath Perera
 
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EEJavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
Rodrigo Cândido da Silva
 
Multi-tenancy in the cloud
Multi-tenancy in the cloudMulti-tenancy in the cloud
Multi-tenancy in the cloud
Inphina Technologies
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
Stormpath
 
Multi Tenancy In The Cloud
Multi Tenancy In The CloudMulti Tenancy In The Cloud
Multi Tenancy In The Cloud
rohit_ainapure
 
Pas3 Tenancy Design Patterns (Predix Transform 2016)
Pas3 Tenancy Design Patterns (Predix Transform 2016)Pas3 Tenancy Design Patterns (Predix Transform 2016)
Pas3 Tenancy Design Patterns (Predix Transform 2016)
ferminordaz
 
Multi-Tenant Approach
Multi-Tenant ApproachMulti-Tenant Approach
Multi-Tenant Approach
Perfectial, LLC
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
As34269277
As34269277As34269277
As34269277
IJERA Editor
 
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docxCSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
faithxdunce63732
 
OmniBase Object Database
OmniBase Object DatabaseOmniBase Object Database
OmniBase Object Database
ESUG
 

Mais conteúdo relacionado

Mais procurados

Qtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skillQtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skill
siva1991
 
ASP.NET Session 11 12
ASP.NET Session 11 12ASP.NET Session 11 12
ASP.NET Session 11 12
Sisir Ghosh
 

Mais procurados (8)

Qtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skillQtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skill
 
Enabling Security For ActiveMQ JMX Access
Enabling Security For ActiveMQ JMX AccessEnabling Security For ActiveMQ JMX Access
Enabling Security For ActiveMQ JMX Access
 
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
 
Database connectivity in asp.net
Database connectivity in asp.netDatabase connectivity in asp.net
Database connectivity in asp.net
 
ASP.NET- database connectivity
ASP.NET- database connectivityASP.NET- database connectivity
ASP.NET- database connectivity
 
ASP.NET Session 11 12
ASP.NET Session 11 12ASP.NET Session 11 12
ASP.NET Session 11 12
 
T-SQL & Triggers
T-SQL & TriggersT-SQL & Triggers
T-SQL & Triggers
 
iOS training (advanced)
iOS training (advanced)iOS training (advanced)
iOS training (advanced)
 

Destaque

A Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process ExecutionsA Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process Executions
Srinath Perera
 
Multi-tenancy in the cloud
Multi-tenancy in the cloudMulti-tenancy in the cloud
Multi-tenancy in the cloud
Inphina Technologies
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
Stormpath
 

Destaque (9)

OpenStack London Meetup, 18 Nov 2015
OpenStack London Meetup, 18 Nov 2015OpenStack London Meetup, 18 Nov 2015
OpenStack London Meetup, 18 Nov 2015
 
Etiqueta de jabon "JC"
Etiqueta de jabon "JC"Etiqueta de jabon "JC"
Etiqueta de jabon "JC"
 
A Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process ExecutionsA Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process Executions
 
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EEJavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
 
Multi-tenancy in the cloud
Multi-tenancy in the cloudMulti-tenancy in the cloud
Multi-tenancy in the cloud
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
 
Multi Tenancy In The Cloud
Multi Tenancy In The CloudMulti Tenancy In The Cloud
Multi Tenancy In The Cloud
 
Pas3 Tenancy Design Patterns (Predix Transform 2016)
Pas3 Tenancy Design Patterns (Predix Transform 2016)Pas3 Tenancy Design Patterns (Predix Transform 2016)
Pas3 Tenancy Design Patterns (Predix Transform 2016)
 
Multi-Tenant Approach
Multi-Tenant ApproachMulti-Tenant Approach
Multi-Tenant Approach
 

Semelhante a Cloudproject

CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docxCSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
faithxdunce63732
 
Introduction to Java Enterprise Edition
Introduction to Java Enterprise EditionIntroduction to Java Enterprise Edition
Introduction to Java Enterprise Edition
Abdalla Mahmoud
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
Zayar Shwe
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
OpenStack
 
A GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSA GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKS
Weaveworks
 
Nt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language AnalysisNt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language Analysis
Nicole Gomez
 
A General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
A General Purpose Extensible Scanning Query Architecture for Ad Hoc AnalyticsA General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
A General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
Flurry, Inc.
 

Semelhante a Cloudproject (20)

OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
As34269277
As34269277As34269277
As34269277
 
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docxCSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
 
OmniBase Object Database
OmniBase Object DatabaseOmniBase Object Database
OmniBase Object Database
 
Introduction to Java Enterprise Edition
Introduction to Java Enterprise EditionIntroduction to Java Enterprise Edition
Introduction to Java Enterprise Edition
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
 
SCWCD : The servlet container : CHAP : 4
SCWCD : The servlet container : CHAP : 4SCWCD : The servlet container : CHAP : 4
SCWCD : The servlet container : CHAP : 4
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
 
Osonto documentatie
Osonto documentatieOsonto documentatie
Osonto documentatie
 
Winning the Lottery with Spring: A Microservices Case Study for the Dutch Lot...
Winning the Lottery with Spring: A Microservices Case Study for the Dutch Lot...Winning the Lottery with Spring: A Microservices Case Study for the Dutch Lot...
Winning the Lottery with Spring: A Microservices Case Study for the Dutch Lot...
 
Drupal 8 meets to symphony
Drupal 8 meets to symphonyDrupal 8 meets to symphony
Drupal 8 meets to symphony
 
I0935053
I0935053I0935053
I0935053
 
A GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSA GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKS
 
Apache Eagle in Action
Apache Eagle in ActionApache Eagle in Action
Apache Eagle in Action
 
Architectural patterns part 4
Architectural patterns part 4Architectural patterns part 4
Architectural patterns part 4
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Nt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language AnalysisNt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language Analysis
 
A General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
A General Purpose Extensible Scanning Query Architecture for Ad Hoc AnalyticsA General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
A General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Cloudproject

  • 1. By- Anush V Meghana Prashanth Pramod Ramesh Ashwin Sethi
  • 2. Introduction  Openstack is an open source cloud service implementation  Keystone is the security module of Openstack  Current authorization system implemented in keystone is single-tenant  Multi-tenancy support is defined as the capability of a single software instance to provide its service to several parties simultaneously  Our objective is to convert this single tenant system into a multi-tenant one
  • 3. Current implementations of authorization is based on a 3 tuple implementation namely (Subject, Privilege, Object)  This needs to be changed to incorporate multi-tenancy  The basic multi-tenant system would have a structure in the form of a 5 tuple namely (Issuer, Subject, Privilege, Interface, Object)  This implementation though useful is not enough  We try to use a RBAC incorporated implementation  This new model which has RBAC changes the 5 tuple to (Issuer, role(Issuer, RoleName), Privilege, Interface, Object)
  • 4. (IssuerA, role(IssuerB, users), Read, ServiceA.1, root) is interpreted as IssuerA grants anybody with role(IssuerB, users) Read access to the root folder of the file system provided by ServiceA.1.
  • 5. Keystone Layout  Keystone directories were found in the following locations  /opt/stack  This contained all the necessary python modules to keep keystone running including the policy engine  /var/lib  This contained the keystone.db file used to initialise the backend  /usr/share  This contained shell files to automatically crate new users in opentack  /etc  This contained the keystone.conf file and the default catalog templates file
  • 6. Policy Trace  Once an access is made to any protected resource the authorization entry point is in rules.py  enforce()  common.policy.enforce()  Brain.check()  _check()  _check_rule() or _check_role() or _check_service() or _check_generic() depending on the match in the rules dictionary.  These functions recursively call Brain.check() to help matches nesting of rules appropriately.
  • 7. Our Implementation  To implement the 5 tuple we add the following to the current implementation  The Service as a part of both the cred_dict and rules_dict  The role is now a 2 tuple mapping between issuer and name of the role, again this is added to both cred_dict and rules_dict  New function called _check_service is implemented  Access is allowed only if all the elements in the match_list match that of the cred_dict