SlideShare uma empresa Scribd logo

Keystone Federation Blueprint

openstackindia
openstackindia

The document describes a proposed federated identity management system for OpenStack clouds. It defines a federation as an association of service providers and identity providers. The current implementation uses a 3-tuple model of authorization that needs to be expanded to a 5-tuple model to incorporate federation and multi-tenancy. The proposed system uses a 5-tuple of (Issuer, Subject, Privilege, Interface, Object) along with an RBAC model. It then describes a simple mechanism for federation where a client obtains various tokens - GAT, TAT, and RAT - to access resources across different clouds. Finally, it compares this proposed model to an existing 30-step blueprint, noting differences in entities, tokens

Tecnologia
1 de 10
Baixar para ler offline
Keystone Federation Anush V Meghana Prashanth Pramod Ramesh Dr. Dinkar Sitaram Center for Cloud computing and Big Data PESIT, Bangalore
Openstack A OpenstackB IdentityProvider 1 IdentityProvider 1 Services k Services l Openstack C IdentityProvider 1 Services m
Federation • A federation is defined as “an association comprising any number of service providers and identity providers.
Federated System • Current implementation of authorization is based on a 3-tuple implementation namely (Subject, Privilege, Object) • This needs to be modified to incorporate federation and multi-tenancy • The new system would have a structure in the form of a 5-tuple namely (Issuer, Subject, Privilege, Interface, Object) • We use an RBAC incorporated implementation • This new model which has RBAC changes the 5-tuple to (Issuer, role(Issuer, roleName), Privilege, Interface, Object)
(IssuerB, role(IssuerA, admin), Read, InterfaceB.1, root) is interpreted as IssuerB grants anybody with role(IssuerA, admin) Read access to the root folder of the file system provided by InterfaceB.1.
Our Implementation We have devised a simple mechanism for federation Scenario: Assume that the client is a tenant in some Home cloud A. They want access to resources in some remote cloud B. • GAT acquisition: the client sends to the gateway in A a GAT (Gateway Access Token) request that will allow it to access the gateway at B. The GAT is one of our 5-tuples. • TAT acquisition (Tenant Access Token) o The client sends the GAT, together with its certificate or authentication token, to the gateway at R requesting a TAT . o [The gateway at R contacts the gateway at H to validate the identity of the client.] o The gateway at R returns a TAT for the requested or all accessible tenants. The TAT is another of our 5-tuples. • RAT acquisition (Resource acquisition Token): o The client sends the TAT together with a request for a RAT to the policy engine on the tenant.This should be signed. o The policy engine sends the request to the gateway at R for verification of the signature o The policy engine sends back the RAT. The RAT is our 5-tuple.
Current implementation: All rules are stored here rules_dict : { abc: {role:[netadmin] , tenant_id:[mytenant] , def: {role:[computeadmin], tenant_id:[mytenant1]} Service Access Requirements match_list : {rule:abc} - Service determines what is the required policy to grant user access User Credentials cred_dict : { roles:[netadmin], tenant_id: [mytenant]} target_dict : {tenant_id: mytenant} Our implementation: All rules stored here rules_dict: { abc: {role:[issuerA:netadmin], tenant_id:[mytenant],interface:[myinterface] , def: {role:[issuerC:netadmin], tenant_id:[mytenant], interface:[myinterface]} Service Access Requirement match_list : {rule:abc} User Credentials target_dict : {tenant_id:mytenant} cred_dict : {roles:[issuerA:netadmin], tenant_id:[mytenant], interface:[myinterface]}
Current Federation Blueprint • The current blueprint for federation is given by David Chadwick • He talks about a 30 step procedure involving various entities like • AM – Attribute Mapper • ARP – Attribute Requirements Policy • IdP – Identity Provider • AA – Attribute Authority • There exists a global entity called Openstack Gateway (OG) which is a centralised control unit • OG contains trust relationships between AA, IdPs, etc. • Since all mappings are in OG there is a need to have globally identifiable attributes/roles given by IdPs, AAs • Existence of scoped and unscoped tokens (unclear)
Differences between the models • ARP does not exist in our model. Instead we feel directly sending the users credentials is enough • There is no explicit IdP in our model. Instead the authenticity of the user is validated by its gateway by looking at the user generated certificate • AM is not needed in our model • Our model has local gateways for each of the cloud service providers as compared to a common Openstack Gateway proposed by the blueprint • There are just normal tokens in our model. The blueprint talks about scoped and unscoped tokens
THANK YOU

Recomendados

Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directorycjellick
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 

Recomendados

Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack KeystoneDeepti Ramakrishna
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directorycjellick
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone DeploymentPriti Desai
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
A Brief Introduce to WSGI
A Brief Introduce to WSGIA Brief Introduce to WSGI
A Brief Introduce to WSGIMingli Yuan
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone Kamesh Pemmaraju
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training materialchenvi123
 
What is the ServiceStack?
What is the ServiceStack?What is the ServiceStack?
What is the ServiceStack?Demis Bellot
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2Elana Krasner
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security PatternsVMware Tanzu
 
Strata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStrata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStreamlio
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administrationAshish Sharma
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStackMehdi Ali Soltani
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Securityopenstackindia
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 

Mais conteúdo relacionado

Mais procurados

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystoneUT, San Antonio
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014Victor Morales
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1Jsonr4
 
A Brief Introduce to WSGI
A Brief Introduce to WSGIA Brief Introduce to WSGI
A Brief Introduce to WSGIMingli Yuan
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training materialchenvi123
 
What is the ServiceStack?
What is the ServiceStack?What is the ServiceStack?
What is the ServiceStack?Demis Bellot
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2Elana Krasner
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security PatternsVMware Tanzu
 
Strata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStrata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStreamlio
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administrationAshish Sharma
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 

Mais procurados (20)

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
 
A Brief Introduce to WSGI
A Brief Introduce to WSGIA Brief Introduce to WSGI
A Brief Introduce to WSGI
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
 
What is the ServiceStack?
What is the ServiceStack?What is the ServiceStack?
What is the ServiceStack?
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security Patterns
 
Strata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStrata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache Pulsar
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
 

Semelhante a Keystone Federation Blueprint

.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Athenz introduction
Athenz introductionAthenz introduction
Athenz introductionDũng Lê
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Netflix Play API: Why we built an evolutionary architecture
Netflix Play API: Why we built an evolutionary architectureNetflix Play API: Why we built an evolutionary architecture
Netflix Play API: Why we built an evolutionary architectureSuudhan Rangarajan
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
 
Hyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveHyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveDan Selman
 
Blockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-diveBlockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-diveBinh Nguyen
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonVMware Tanzu
 
PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.Lihi Idan
 
Service operator aware trust scheme for resource
Service operator aware trust scheme for resourceService operator aware trust scheme for resource
Service operator aware trust scheme for resourcejayaramb
 
Kks sre book_ch10
Kks sre book_ch10Kks sre book_ch10
Kks sre book_ch10Chris Huang
 

Semelhante a Keystone Federation Blueprint (20)

.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Athenz introduction
Athenz introductionAthenz introduction
Athenz introduction
 
Null talk
Null talkNull talk
Null talk
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Netflix Play API: Why we built an evolutionary architecture
Netflix Play API: Why we built an evolutionary architectureNetflix Play API: Why we built an evolutionary architecture
Netflix Play API: Why we built an evolutionary architecture
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
Hyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveHyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep Dive
 
Blockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-diveBlockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-dive
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
 
PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.
 
Service operator aware trust scheme for resource
Service operator aware trust scheme for resourceService operator aware trust scheme for resource
Service operator aware trust scheme for resource
 
Kks sre book_ch10
Kks sre book_ch10Kks sre book_ch10
Kks sre book_ch10
 

Mais de openstackindia

Guts & OpenStack migration
Guts & OpenStack migrationGuts & OpenStack migration
Guts & OpenStack migrationopenstackindia
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day Indiaopenstackindia
 
Your first patch to OpenStack
Your first patch to OpenStackYour first patch to OpenStack
Your first patch to OpenStackopenstackindia
 
OpenStack Neutron Behind The Senes
OpenStack Neutron Behind The SenesOpenStack Neutron Behind The Senes
OpenStack Neutron Behind The Senesopenstackindia
 
OpenStack Storage Buddy Ceph
OpenStack Storage Buddy CephOpenStack Storage Buddy Ceph
OpenStack Storage Buddy Cephopenstackindia
 
State of Containers in OpenStack
State of Containers in OpenStackState of Containers in OpenStack
State of Containers in OpenStackopenstackindia
 
The OpenStack Contribution Workflow
The OpenStack Contribution WorkflowThe OpenStack Contribution Workflow
The OpenStack Contribution Workflowopenstackindia
 
Introduction to Cinder
Introduction to CinderIntroduction to Cinder
Introduction to Cinderopenstackindia
 
OpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservicesOpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservicesopenstackindia
 
OpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingOpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingopenstackindia
 
Deploying openstack using ansible
Deploying openstack using ansibleDeploying openstack using ansible
Deploying openstack using ansibleopenstackindia
 
Ceph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetupCeph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetupopenstackindia
 
Role of sdn controllers in open stack
Role of sdn controllers in open stackRole of sdn controllers in open stack
Role of sdn controllers in open stackopenstackindia
 
Outreachy with-openstack-zaqar
Outreachy with-openstack-zaqarOutreachy with-openstack-zaqar
Outreachy with-openstack-zaqaropenstackindia
 
Enhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationEnhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationopenstackindia
 
Openstack devops challenges
Openstack devops challenges Openstack devops challenges
Openstack devops challenges openstackindia
 
Demistifying open stack storage
Demistifying open stack storageDemistifying open stack storage
Demistifying open stack storageopenstackindia
 

Mais de openstackindia (20)

Guts & OpenStack migration
Guts & OpenStack migrationGuts & OpenStack migration
Guts & OpenStack migration
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day India
 
OPNFV & OpenStack
OPNFV & OpenStackOPNFV & OpenStack
OPNFV & OpenStack
 
Your first patch to OpenStack
Your first patch to OpenStackYour first patch to OpenStack
Your first patch to OpenStack
 
OpenStack Neutron Behind The Senes
OpenStack Neutron Behind The SenesOpenStack Neutron Behind The Senes
OpenStack Neutron Behind The Senes
 
OpenStack Storage Buddy Ceph
OpenStack Storage Buddy CephOpenStack Storage Buddy Ceph
OpenStack Storage Buddy Ceph
 
OpenStack Watcher
OpenStack WatcherOpenStack Watcher
OpenStack Watcher
 
State of Containers in OpenStack
State of Containers in OpenStackState of Containers in OpenStack
State of Containers in OpenStack
 
The OpenStack Contribution Workflow
The OpenStack Contribution WorkflowThe OpenStack Contribution Workflow
The OpenStack Contribution Workflow
 
Introduction to Cinder
Introduction to CinderIntroduction to Cinder
Introduction to Cinder
 
OpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservicesOpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservices
 
OpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingOpenStack Tempest and REST API testing
OpenStack Tempest and REST API testing
 
Deploying openstack using ansible
Deploying openstack using ansibleDeploying openstack using ansible
Deploying openstack using ansible
 
Ceph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetupCeph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetup
 
Role of sdn controllers in open stack
Role of sdn controllers in open stackRole of sdn controllers in open stack
Role of sdn controllers in open stack
 
Outreachy with-openstack-zaqar
Outreachy with-openstack-zaqarOutreachy with-openstack-zaqar
Outreachy with-openstack-zaqar
 
Enhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationEnhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world application
 
Openstack devops challenges
Openstack devops challenges Openstack devops challenges
Openstack devops challenges
 
Demistifying open stack storage
Demistifying open stack storageDemistifying open stack storage
Demistifying open stack storage
 
OpenStack Heat
OpenStack HeatOpenStack Heat
OpenStack Heat
 

Último

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Último (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Keystone Federation Blueprint

  • 1. Keystone Federation Anush V Meghana Prashanth Pramod Ramesh Dr. Dinkar Sitaram Center for Cloud computing and Big Data PESIT, Bangalore
  • 2. Openstack A OpenstackB IdentityProvider 1 IdentityProvider 1 Services k Services l Openstack C IdentityProvider 1 Services m
  • 3. Federation • A federation is defined as “an association comprising any number of service providers and identity providers.
  • 4. Federated System • Current implementation of authorization is based on a 3-tuple implementation namely (Subject, Privilege, Object) • This needs to be modified to incorporate federation and multi-tenancy • The new system would have a structure in the form of a 5-tuple namely (Issuer, Subject, Privilege, Interface, Object) • We use an RBAC incorporated implementation • This new model which has RBAC changes the 5-tuple to (Issuer, role(Issuer, roleName), Privilege, Interface, Object)
  • 5. (IssuerB, role(IssuerA, admin), Read, InterfaceB.1, root) is interpreted as IssuerB grants anybody with role(IssuerA, admin) Read access to the root folder of the file system provided by InterfaceB.1.
  • 6. Our Implementation We have devised a simple mechanism for federation Scenario: Assume that the client is a tenant in some Home cloud A. They want access to resources in some remote cloud B. • GAT acquisition: the client sends to the gateway in A a GAT (Gateway Access Token) request that will allow it to access the gateway at B. The GAT is one of our 5-tuples. • TAT acquisition (Tenant Access Token) o The client sends the GAT, together with its certificate or authentication token, to the gateway at R requesting a TAT . o [The gateway at R contacts the gateway at H to validate the identity of the client.] o The gateway at R returns a TAT for the requested or all accessible tenants. The TAT is another of our 5-tuples. • RAT acquisition (Resource acquisition Token): o The client sends the TAT together with a request for a RAT to the policy engine on the tenant.This should be signed. o The policy engine sends the request to the gateway at R for verification of the signature o The policy engine sends back the RAT. The RAT is our 5-tuple.
  • 7. Current implementation: All rules are stored here rules_dict : { abc: {role:[netadmin] , tenant_id:[mytenant] , def: {role:[computeadmin], tenant_id:[mytenant1]} Service Access Requirements match_list : {rule:abc} - Service determines what is the required policy to grant user access User Credentials cred_dict : { roles:[netadmin], tenant_id: [mytenant]} target_dict : {tenant_id: mytenant} Our implementation: All rules stored here rules_dict: { abc: {role:[issuerA:netadmin], tenant_id:[mytenant],interface:[myinterface] , def: {role:[issuerC:netadmin], tenant_id:[mytenant], interface:[myinterface]} Service Access Requirement match_list : {rule:abc} User Credentials target_dict : {tenant_id:mytenant} cred_dict : {roles:[issuerA:netadmin], tenant_id:[mytenant], interface:[myinterface]}
  • 8. Current Federation Blueprint • The current blueprint for federation is given by David Chadwick • He talks about a 30 step procedure involving various entities like • AM – Attribute Mapper • ARP – Attribute Requirements Policy • IdP – Identity Provider • AA – Attribute Authority • There exists a global entity called Openstack Gateway (OG) which is a centralised control unit • OG contains trust relationships between AA, IdPs, etc. • Since all mappings are in OG there is a need to have globally identifiable attributes/roles given by IdPs, AAs • Existence of scoped and unscoped tokens (unclear)
  • 9. Differences between the models • ARP does not exist in our model. Instead we feel directly sending the users credentials is enough • There is no explicit IdP in our model. Instead the authenticity of the user is validated by its gateway by looking at the user generated certificate • AM is not needed in our model • Our model has local gateways for each of the cloud service providers as compared to a common Openstack Gateway proposed by the blueprint • There are just normal tokens in our model. The blueprint talks about scoped and unscoped tokens