Embed Size (px)
DESCRIPTION
Presentation from Cloud Identity Summit 2014 in Monterey, CA. Covers the basics of OpenStack, along with going into details on Keystone (its Identity layer) and the new federation support.
Citation preview
IDENTITY ANDOPENSTACK ICEHOUSEDavid Waite
Technical Architect, Ping Labs
Ping Identity
2
Contents
3
•What is OpenStack•What components are in OpenStack
• Keystone, the Identity component of OpenStack• Tokens• Integration• Federation
•What's coming?
What is OpenStack?
4
• Cloud Computing Platform• Infrastructure-as-a-Service•Used for private and public clouds•Multi-tenant (project)
What is OpenStack?
5
• Strives for Openness:• Source• Standards•Design•Development• Community
•Modular architecture promoting individual projects
Who uses OpenStack?
6
• Targeting service offerings, enterprises, and government/academic institutions• Industries like IT, telco, SaaS, Finance and Healthcare•Name Dropping• Paypal, Best Buy, Comcast, CERN
https://www.openstack.org/user-stories/
Cloud Stack
7
Continuum
8
Cloud Environments
9
OpenStack Architecture
10
Identity, AKA Keystone
11
• Identity Services for all of OpenStack• Authentication• Coarse authorization
• Facade for existing identity systems• Token-based access
• Catalog of service endpoints• Policy storage for RBAC
Security of Tiers Differ
12
Integration
13
•OpenStack supports several integration options•User Directories• LDAP (read-only and read-write)• SQL• Key-Value Store
• Authentication• Password• External via HTTP Server (X.509, Kerberos, SAML)
Keystone Tokens
14
• Represents authorization• Scoped to a Project*• Bearer tokens only
• All API Secured with Tokens
Keystone Tokens
15
• Two formats•Opaque (UUID)• Structured (PKI)
• Limited Lifetime (1 - 24hr)•No token refresh• Revocable
Authentication
16
Token
17
Typical API call
18
Federation
19
• Icehouse now supports SAML• Via the Shibboleth Open Source project
• SAML Web SSO and ECP (Enhanced Client) profiles
•No Web UI support• Exchange SAML for token
Hybrid Cloud
20
Hybrid Cloud Uses
21
•Grow from Private to Public cloud• Seasonal Load or Dynamic Load
•Migrate resources between Private/Public cloud• Sharing relationships across Private infrastructure
What’s Coming (with Caveats)
22
•Domain-specific Authentication Drivers• SAML SSO Support for Horizon• Administrators logging into console with Federation
•OpenID Connect support• Alternate (social) protocol for SSO
23
Questions?
![openstack storage final - Agenda (Indico) · • Keystone - Identity Service ... [File Share Service with Manila] Openstack Storage • Ephemeral storage is allocated for an instance](https://img.pdfslide.us/doc/110x75/5f2ba509eedda5119724f2e7/openstack-storage-final-agenda-indico-a-keystone-identity-service-file.jpg)
