Upload
david-waite
View
662
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Presentation from Cloud Identity Summit 2014 in Monterey, CA. Covers the basics of OpenStack, along with going into details on Keystone (its Identity layer) and the new federation support.
Citation preview
Contents
3
•What is OpenStack•What components are in OpenStack
• Keystone, the Identity component of OpenStack• Tokens• Integration• Federation
•What's coming?
What is OpenStack?
4
• Cloud Computing Platform• Infrastructure-as-a-Service•Used for private and public clouds•Multi-tenant (project)
What is OpenStack?
5
• Strives for Openness:• Source• Standards•Design•Development• Community
•Modular architecture promoting individual projects
Who uses OpenStack?
6
• Targeting service offerings, enterprises, and government/academic institutions• Industries like IT, telco, SaaS, Finance and Healthcare•Name Dropping• Paypal, Best Buy, Comcast, CERN
https://www.openstack.org/user-stories/
Identity, AKA Keystone
11
• Identity Services for all of OpenStack• Authentication• Coarse authorization
• Facade for existing identity systems• Token-based access
• Catalog of service endpoints• Policy storage for RBAC
Integration
13
•OpenStack supports several integration options•User Directories• LDAP (read-only and read-write)• SQL• Key-Value Store
• Authentication• Password• External via HTTP Server (X.509, Kerberos, SAML)
Keystone Tokens
14
• Represents authorization• Scoped to a Project*• Bearer tokens only
• All API Secured with Tokens
Keystone Tokens
15
• Two formats•Opaque (UUID)• Structured (PKI)
• Limited Lifetime (1 - 24hr)•No token refresh• Revocable
Federation
19
• Icehouse now supports SAML• Via the Shibboleth Open Source project
• SAML Web SSO and ECP (Enhanced Client) profiles
•No Web UI support• Exchange SAML for token
Hybrid Cloud Uses
21
•Grow from Private to Public cloud• Seasonal Load or Dynamic Load
•Migrate resources between Private/Public cloud• Sharing relationships across Private infrastructure
What’s Coming (with Caveats)
22
•Domain-specific Authentication Drivers• SAML SSO Support for Horizon• Administrators logging into console with Federation
•OpenID Connect support• Alternate (social) protocol for SSO