IDENTITY AND OPENSTACK ICEHOUSE

David Waite

Technical Architect, Ping Labs

Ping Identity

1

Contents

2

• What is OpenStack • What components are in OpenStack

• Keystone, the Identity component of OpenStack • Tokens •  Integration • Federation

• What's coming?

What is OpenStack?

3

• Cloud Computing Platform •  Infrastructure-as-a-Service • Used for private and public clouds • Multi-tenant (project)

What is OpenStack?

4

• Strives for Openness: • Source • Standards • Design • Development • Community

• Modular architecture promoting individual projects

Who uses OpenStack?

5

• Targeting service offerings, enterprises, and government/academic institutions •  Industries like IT, telco, SaaS, Finance and Healthcare • Name Dropping • Paypal, Best Buy, Comcast, CERN

https://www.openstack.org/user-stories/

Cloud Stack

6

Continuum

7

Cloud Environments

8

OpenStack Architecture

9

What does OpenStack Provide?

!10

Function Purpose

Compute Virtual Machines, management of underlying CPU/Memory usage (EC2)

Network Software Defined Networking and Load Balancing

Storage Object and Block storage (EC2/EBS, Azure Blob Storage)

Image Virtual Machine image management

Telemetry Metrics on usage of infrastructure resources

Dashboard User Interface for controlling/inspecting infrastructure

Database Database as a Service

Identity Manage API and administrative access to everything else

Identity, AKA Keystone

10

•  Identity Services for all of OpenStack • Authentication • Coarse authorization

• Facade for existing identity systems • Token-based access

• Catalog of service endpoints • Policy storage for RBAC

Security of Tiers Differ

11

Integration

12

• OpenStack supports several integration options • User Directories • LDAP (read-only and read-write) • SQL • Key-Value Store

• Authentication • Password • External via HTTP Server (X.509, Kerberos, SAML)

Keystone Tokens

13

• Represents authorization • Scoped to a Project* • Bearer tokens only

• All API Secured with Tokens

Keystone Tokens

14

• Two formats • Opaque (UUID) • Structured (PKI)

• Limited Lifetime (1 - 24hr) • No token refresh • Revocable

Authentication

15

Token

16

Typical API call

17

Federation

18

•  Icehouse now supports SAML • Via the Shibboleth Open Source project

• SAML Web SSO and ECP (Enhanced Client) profiles

• No Web UI support • Exchange SAML for token

Hybrid Cloud

19

Hybrid Cloud Uses

20

• Grow from Private to Public cloud • Seasonal Load or Dynamic Load

• Migrate resources between Private/Public cloud • Sharing relationships across Private infrastructure

What’s Coming (with Caveats)

21

• Domain-specific Authentication Drivers • SAML SSO Support for Horizon • Administrators logging into console with

Federation • OpenID Connect support • Alternate (social) protocol for SSO

22

Questions?