SlideShare ist ein Scribd-Unternehmen logo

Building IAM for OpenStack

Als PPTX, PDF herunterladen
Steve Martinelli
Steve Martinelli

Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015. Discuss Identity Sources, Authentication, Managing Access and Federating Identities

Technologie
1 von 49
Building IAM for OpenStack Steve Martinelli Software Developer, IBM Keystone Core
Agenda ● OpenStack and Keystone Overview ● Identity Sources ● Authentication ● Identity Federation ● Access Management Model in OpenStack ● Future Plans
OpenStack and Keystone: The Quick Overview!
OpenStack Overview ● OpenStack is a cloud operating system that controls large pools of compute, storage, and networking resources throughout a datacenter, all managed through a rich set of APIs and a dashboard that gives administrators control while empowering their users to provision resources through a web interface ● OpenStack’s goals are to support interoperability between cloud services and allow businesses to build AWS-like cloud services in their own data centers ● Available as Free and Open Source under the Apache 2.0 license Keystone - provides authentication and authorization for all the services. Nova - provides virtual machines (VMs) Swift - supports object storage. Cinder - persistent block storage to VMs. Glance - catalog and repository for virtual disk images. Horizon - Web-based interface for services. Neutron - networking-as-a-service between interface devices
Lots of different companies using OpenStack A lot of individuals and companies have contributed to making Keystone awesome (just to name a few…)
Keystone Overview ● OpenStack’s Identity and Access Management (IAM) Service ○ Authentication ○ Authorization ○ Audit ○ Identity ○ OpenStack Service Discovery ● Supports integration with a variety of Identity Providers ● Pluggable authentication architecture ● Supports multiple API Authorization Token formats ● New enhancements include support for standard federation protocols ● Access management for all OpenStack services
Scale of Keystone Deployments Small ● Developer environments have OpenStack “all-in-one” deployments ● Devstack is used by most developers to spin up a deployment with compute/storage/networking/identity Medium ● Single datacenter ● Multiple Keystone instances using HAProxy for load balancing Large ● Several OpenStack deployments spread over many geographically disperse areas ● Multiple Keystone instances using HAProxy for load balancing and SQL/LDAP replication to keep data in synchronized Very Large / Multiple Organizations (Hybrid/Composite) ● Many OpenStack deployments spread over many geographically disperse areas ● Uses Federated Identity to allow near-seamless access to all deployments ● Some deployments will provide specific services / features
Identity Sources
SQL ● Users, groups, and credentials are managed by Keystone ● Settings for connecting to a database are handled in Keystone’s config file ● Essentially, Keystone is acting as an Identity Provider ● Pros: ○ Easy to setup ○ Management of users and groups through OpenStack APIs ● Cons: ○ Keystone shouldn’t be an Identity Provider ○ Weak password support  No password rotation  No password recovery  No password enforcement  No failed login attempt lockout support ○ Most enterprises have an LDAP server that they want to use ○ Identity silo - Yet another username and password users must remember Use Case: - Testing or developing with OpenStack - Saving OpenStack service accounts
LDAP ● Keystone accessing LDAP should act just like any other application ● Keystone operations performed on LDAP ○ User/Group lookup (search) ○ Authentication of users (bind) ● What rights does Keystone need in LDAP? ○ Read access to user/group attributes defined in keystone.conf ○ Unprivileged account or anonymous is preferable ○ Access to password hashes is not needed Use Case: - It’s already in place in your enterprise - Able to create the necessary service accounts
Multiple Backends ● As of the Juno release, Keystone supports multiple backends ● One domain per backend ● The default domain must be the SQL backend, it is used to host service accounts ○ Ideally, the default domain should be normal users (LDAP), but this requires service accounts to know how to use the v3 API ○ Support for services accounts outside the default domain will be available in a future release ● Any additional LDAP backends should be managed by their own domain Use Case: - Preferred approach for most enterprises
Identity Provider (IdP) ● A source for identities (Internal IdP, Google, Facebook, Twitter) ● Handles authentication and provides identity information ● Usually backed by LDAP, but could be something else, like AD (Active Directory) ● Essentially, software that abstracts out the actual backend and translates user attributes to a standard protocol format (SAML, OpenID Connect, etc.) ● If you’ve ever used your Gmail account to sign into another online application… then you’ve used Google as the Identity Provider and the other application as the Service Provider Use Case: - Leverage new Federated Identity - An IdP already exists - Non-LDAP identity source
Authentication
Password ● User provides their username and password ● Keystone returns a token that the user may use at other OpenStack services ● The token will eventually expire (configured in Keystone) ● Used for initially logging into Keystone or setting up service accounts for other OpenStack services Token Token Password
Token ● Users can exchange their existing (valid) token for a newer token ● Also satisfies the case where a user can receive an unscoped token (initially), and exchange that for a scoped token ● Used by federation client code Token Token Token Supports Kerberos too!
Access Management Model in OpenStack
Access Management Model in OpenStack ● Access is controlled by RBAC and endpoint validation Use Case: If a user wants to start a VM, what is the full flow? 1. Authenticate with Keystone, specifies their user name, password, and project associated with the VM 2. The user gets back a token that is scoped to that project, it carries authorization data within it (a set of roles the user has on that project) NOTE: The role could have been granted at the user level or group level 1. The user makes a requests to the start server API (/v2/​{tenant_id}​/servers/​{server_id}​/action) with the header "X-Auth-Token: <new_token>" 2. Depending on the policy set for the API, the user’s request will be rejected or successful
What does a Keystone token look like? { "token": { "issued_at": "201406-10T20:55:16.806027Z", "expires_at": "2014-06-10T2:55:16.806001Z", "roles": [{ "id": "c703057be878458588961ce9a0ce686b", "name": "admin"} ], "project": { "domain": { "id": "default", "name": "Default" }, "id": "8538a3f13f9541b28c2620eb19065e45", "name": "admin" }, "user": { "domain": { "id": "default", "name": "Default" }, "id": "3ec3164f750146be97f21559ee4d9c51", "name": "admin" }, "catalog": [ { "endpoints": [...], "type": "identity", "id": "bd73972c0e14fb69bae8ff76e112a90", "name": "keystone" } ] } } << Roles represents the roles that the user has on the resource << Project represents the resource the user has a role on. From the scope in the request << User represents the user that was issued the token << Catalog describes the different services a user may access, and their various endpoints Services may be: compute, identity, image, orchestration, etc
Access Management Model in OpenStack How to determine if a user can perform an action? ● All APIs are documented in a policy.json file ● A policy file is broken up into Targets and Rules ● Targets map to a specific API ● Rules are a set of simple or complex checks (RoleCheck, RuleCheck, OrCheck, AndCheck) ● For example… compute:start maps to /v2/​{tenant_id}​/servers/​{server_id}​/action definitions targets rules
Identity Federation
Federated Identity ● Users can exist in an identity store that is not accessible by Keystone, or is owned by a different entity ● Keystone federation allows for users identity to be provided as a part of the authentication request ○ Identity info is provided as environment variables ● Keystone is protocol agnostic, all federation protocol details are handled by Apache HTTPD modules ○ SAML - mod_shib, mod_auth_mellon ○ OpenID Connect - mod_auth_openidc ● Terminology ○ Identity Provider (IdP) ■ Trusted provider of identity information ○ Service Provider (SP) ■ Service that consumes identity information (Keystone) ○ Assertion ■ Trusted representation of identity attributes issued by IdP for consumption by SP ■ If using SAML, the assertion represents identity attributes ■ If using OpenID Connect, the assertion is a set of claims
Mapping Engine ● Groups are created in Keystone's identity backend for the purpose of role assignment ○ Mapping establishes group membership ● Federation specific auth URL is used to obtain an unscoped token ○ Simply identifies user and groups ● Unscoped federation token is used to obtain a scoped token ○ Contains group assigned roles
Federated Identity Flow
Federated Identity Flow
Federated Identity Flow
Federated Identity Flow
Federated Identity Flow
Single Sign-On ● The most demanded Federation feature in OpenStack is finally here! ● Cross project work item between Keystone and Horizon. ○ Work items in three different projects: Keystone, Horizon and django_openstack_auth ● Classic Web Single Sign-On experience in Horizon ○ Protocol agnostic (supports SAML, OpenID Connect, Kerberos, etc.) ○ Keystone still acts as a Service Provider ○ Provides users with familiar branding ○ One less password for Keystone and Horizon to see
● When the user loads Horizon, they can select the protocol desired, or use the old service accounts Single Sign-On GUI Flow
● Once a federated protocol is selected, the branded login page will appear Single Sign-On GUI Flow
● When authenticated with their Identity Provider, the user will be logged into Horizon Single Sign-On GUI Flow
Single Sign-On Flow
Single Sign-On Flow
Single Sign-On Flow
Single Sign-On Flow
Single Sign-On Flow
Single Sign-On Flow
Single Sign-On Flow
Keystone 2 Keystone Federation ● Federating Identities from one deployment to another ○ Works almost identically to the normal Federated Identity Flow Except the originating SAML IdP is another Keystone ○ Trust relationship between each deployment must be explicitly setup ○ Leverages Identity Provider Initiated SAML Flow: ● User authenticates with their own cloud ● Exchanges token for an assertion ● Forwards the assertion to another cloud ● User now has a token for the remote cloud Highlighted at the Keynote of the last OpenStack summit!
Keystone 2 Keystone Architecture Keystone Nova Glance Keystone Nova Glance Local Cloud Remote Cloud A. Add Remote Cloud as a Service Provider B. Add Local Cloud as an Identity Provider One time setup performed by cloud admins Local Cloud User
Future Plans
Future Plans ● MFA - Rackspace has proposed an MFA specification that is in progress ○ Would be pluggable so vendors can implement their own MFA ● Federated Identity Enhancements (polish off rough edges from Federated Identity Keynote) ○ Better client experience ○ Easier mapping rules ● Authorization Enforcement (Tokenless Auth) ○ Use X509 instead of passwords ○ No token needed (with X509) for interacting with Keystone CRUD interfaces ● Dynamic Policy ○ Rather than relying on the policy files themselves, this data should be stored in a database and cached
Questions?
Backup Slides
Title and Abstract Title: Building IAM for OpenStack Abstract: Keystone is the IAM project for OpenStack, and as such has to handle many different methods of deployment – On-Prem, Hybrid, Hosted – at many differing levels of scale. Some deployments are no more than a VM used for development purposes, while others are 100,000s of cores across multiple data centers and continents. This session will cover details of Keystone, what can be accomplished with it today, how OpenStack integrates with your enterprise identity solution, federated identity across OpenStack deployments, the OpenStack model of access management today, and our plans for the future.
not so pretty agenda to keep for slide titling (ICK!) ● Keystone in two minutes or less! ○ Keystone Overview ○ Identity API vs Keystone ○ Scale of Keystone Deployments (1 vm to 1000s of physical machines) ● Identity Sources ○ Direct Connect (SQL, LDAP, Multiple Backends, SSSD) ○ Identity Provider (IdP) ○ Use Cases ● Authentication ○ Password ○ Token ○ External (Kerberos, x509, etc) ○ Multi-Factor ● Identity Federation ○ Federation (SAML, OpenID Connect, ABFAB, etc) ○ Keystone2Keystone Identity Federation ○ Web Single Sign-On ● Access Management Model in OpenStack ○ RBAC ○ Authorization ○ Endpoint Validation of AuthZ ● Future Plans ○ Enhancements to Direct Identity Sources ○ Federated Identity ○ Authorization Enforcement ● Closing statements
Keystone Auth Token Middleware ● A common authentication protocol used between OpenStack projects ● Added to the paste pipeline of other projects
SSSD ● Available in a future release of OpenStack as an Identity Source ● Identity information lookup can be offloaded to the underlying platform using SSSD ● Eliminates the complexity of LDAP handling within Keystone ● SSSD - System Security Services Daemon ○ Provides access to remove authentication and identity sources (FreeIPA, Active Directory, LDAP) ○ Support caching for high performance and fault tolerance ○ Supports failover for fault tolerance ○ Integrates via PAM, NSS, and DBUS ● mod_lookup_identity ○ Performs lookup of identity attributes from SSSD via DBUS ○ Provides identity attributes as environment variables to web applications ● mod_auth_* + mod_lookup_identity looks exactly the same as federation from the perspective of Keystone!
Multi-Factor Authentication ● When knowing a password is not enough ● These factors could be: ○ knowledge based (questions) ○ possession based (security tokens, text messages) ○ inherence based (biometrics) ● FreeIPA has support for (One Time Password) OTP ○ Keystone can work with it via it’s LDAP identity driver or via SSSD (federated LDAP) ○ HOTP/TOTP tokens (Yubikey, FreeOTP, Google Authenticator) ● Rackspace has proposed an MFA specification that is in progress ○ Would be pluggable so vendors can implement their own MFA

Empfohlen

Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Building Multi-Site and Multi-OpenStack Cloud with OpenStack Cascading
Building Multi-Site and Multi-OpenStack Cloud with OpenStack CascadingBuilding Multi-Site and Multi-OpenStack Cloud with OpenStack Cascading
Building Multi-Site and Multi-OpenStack Cloud with OpenStack CascadingJoe Huang
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)Mirantis
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introductionopenstackindia
 

Empfohlen

Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Building Multi-Site and Multi-OpenStack Cloud with OpenStack Cascading
Building Multi-Site and Multi-OpenStack Cloud with OpenStack CascadingBuilding Multi-Site and Multi-OpenStack Cloud with OpenStack Cascading
Building Multi-Site and Multi-OpenStack Cloud with OpenStack CascadingJoe Huang
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)Mirantis
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introductionopenstackindia
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Openstack 101
Openstack 101Openstack 101
Openstack 101Kamesh Pemmaraju
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleKnoldus Inc.
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Weaveworks
 
OpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesOpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesJalal Mostafa
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStackShapeBlue
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
Keystone at openstack multi sites
Keystone at openstack multi sitesKeystone at openstack multi sites
Keystone at openstack multi sitesVietnam Open Infrastructure User Group
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep diveTrinath Somanchi
 
Introduction of OpenStack cascading solution
Introduction of OpenStack cascading solutionIntroduction of OpenStack cascading solution
Introduction of OpenStack cascading solutionJoe Huang
 
Zabbix construindo templates personalizados (zabbix-inventory)
Zabbix construindo templates personalizados (zabbix-inventory)Zabbix construindo templates personalizados (zabbix-inventory)
Zabbix construindo templates personalizados (zabbix-inventory)Magno Monte Cerqueira
 
What CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDWhat CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDShapeBlue
 
Cassandra at Instagram (August 2013)
Cassandra at Instagram (August 2013)Cassandra at Instagram (August 2013)
Cassandra at Instagram (August 2013)Rick Branson
 
Nagios
NagiosNagios
Nagiosguest7e7e305
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
Openstack - An introduction/Installation - Presented at Dr Dobb's conference...
Openstack - An introduction/Installation - Presented at Dr Dobb's conference... Openstack - An introduction/Installation - Presented at Dr Dobb's conference...
Openstack - An introduction/Installation - Presented at Dr Dobb's conference...Rahul Krishna Upadhyaya
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Red Hat Insights
Red Hat InsightsRed Hat Insights
Red Hat InsightsAlessandro Silva
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For ArchitectsKevin Brockhoff
 
Traffic Control with Envoy Proxy
Traffic Control with Envoy ProxyTraffic Control with Envoy Proxy
Traffic Control with Envoy ProxyMark McBride
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 

Weitere ähnliche Inhalte

Was ist angesagt?

Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with AnsibleIvan Serdyuk
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleKnoldus Inc.
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Weaveworks
 
OpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesOpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesJalal Mostafa
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStackShapeBlue
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep diveTrinath Somanchi
 
Introduction of OpenStack cascading solution
Introduction of OpenStack cascading solutionIntroduction of OpenStack cascading solution
Introduction of OpenStack cascading solutionJoe Huang
 
Zabbix construindo templates personalizados (zabbix-inventory)
Zabbix construindo templates personalizados (zabbix-inventory)Zabbix construindo templates personalizados (zabbix-inventory)
Zabbix construindo templates personalizados (zabbix-inventory)Magno Monte Cerqueira
 
What CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDWhat CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDShapeBlue
 
Cassandra at Instagram (August 2013)
Cassandra at Instagram (August 2013)Cassandra at Instagram (August 2013)
Cassandra at Instagram (August 2013)Rick Branson
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
Openstack - An introduction/Installation - Presented at Dr Dobb's conference...
Openstack - An introduction/Installation - Presented at Dr Dobb's conference... Openstack - An introduction/Installation - Presented at Dr Dobb's conference...
Openstack - An introduction/Installation - Presented at Dr Dobb's conference...Rahul Krishna Upadhyaya
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For ArchitectsKevin Brockhoff
 
Traffic Control with Envoy Proxy
Traffic Control with Envoy ProxyTraffic Control with Envoy Proxy
Traffic Control with Envoy ProxyMark McBride
 

Was ist angesagt? (20)

Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
OpenStack Architecture and Use Cases
OpenStack Architecture and Use CasesOpenStack Architecture and Use Cases
OpenStack Architecture and Use Cases
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStack
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 
Keystone at openstack multi sites
Keystone at openstack multi sitesKeystone at openstack multi sites
Keystone at openstack multi sites
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep dive
 
Introduction of OpenStack cascading solution
Introduction of OpenStack cascading solutionIntroduction of OpenStack cascading solution
Introduction of OpenStack cascading solution
 
Zabbix construindo templates personalizados (zabbix-inventory)
Zabbix construindo templates personalizados (zabbix-inventory)Zabbix construindo templates personalizados (zabbix-inventory)
Zabbix construindo templates personalizados (zabbix-inventory)
 
What CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDWhat CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBD
 
Cassandra at Instagram (August 2013)
Cassandra at Instagram (August 2013)Cassandra at Instagram (August 2013)
Cassandra at Instagram (August 2013)
 
Nagios
NagiosNagios
Nagios
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
 
Openstack - An introduction/Installation - Presented at Dr Dobb's conference...
Openstack - An introduction/Installation - Presented at Dr Dobb's conference... Openstack - An introduction/Installation - Presented at Dr Dobb's conference...
Openstack - An introduction/Installation - Presented at Dr Dobb's conference...
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
Red Hat Insights
Red Hat InsightsRed Hat Insights
Red Hat Insights
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
 
Traffic Control with Envoy Proxy
Traffic Control with Envoy ProxyTraffic Control with Envoy Proxy
Traffic Control with Envoy Proxy
 

Andere mochten auch

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAPJesse Pretorius
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Data Science and Online Education
Data Science and Online EducationData Science and Online Education
Data Science and Online EducationGeoffrey Fox
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
Red Hat Forum Tokyo - OpenStack Architecture
Red Hat Forum Tokyo - OpenStack ArchitectureRed Hat Forum Tokyo - OpenStack Architecture
Red Hat Forum Tokyo - OpenStack ArchitectureDan Radez
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federatedjamielennox
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Kubernetes intro public - kubernetes user group 4-21-2015
Kubernetes intro public - kubernetes user group 4-21-2015Kubernetes intro public - kubernetes user group 4-21-2015
Kubernetes intro public - kubernetes user group 4-21-2015reallavalamp
 
Scale into Multi-Cloud with Containers
Scale into Multi-Cloud with ContainersScale into Multi-Cloud with Containers
Scale into Multi-Cloud with ContainersImesh Gunaratne
 
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila
 
Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
Forecast 2014: TOSCA: An Open Standard for Business Application Agility and P...
Forecast 2014: TOSCA: An Open Standard for Business Application Agility and P...Forecast 2014: TOSCA: An Open Standard for Business Application Agility and P...
Forecast 2014: TOSCA: An Open Standard for Business Application Agility and P...Open Data Center Alliance
 
CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CloudIDSummit
 

Andere mochten auch (20)

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
 
Keystone Updates - Kilo Edition
Keystone Updates - Kilo EditionKeystone Updates - Kilo Edition
Keystone Updates - Kilo Edition
 
Keystone Federation
Keystone Federation Keystone Federation
Keystone Federation
 
RBAC in Swift
RBAC in SwiftRBAC in Swift
RBAC in Swift
 
Data Science and Online Education
Data Science and Online EducationData Science and Online Education
Data Science and Online Education
 
Topologies of OpenStack
Topologies of OpenStackTopologies of OpenStack
Topologies of OpenStack
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Red Hat Forum Tokyo - OpenStack Architecture
Red Hat Forum Tokyo - OpenStack ArchitectureRed Hat Forum Tokyo - OpenStack Architecture
Red Hat Forum Tokyo - OpenStack Architecture
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federated
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
Kubernetes intro public - kubernetes user group 4-21-2015
Kubernetes intro public - kubernetes user group 4-21-2015Kubernetes intro public - kubernetes user group 4-21-2015
Kubernetes intro public - kubernetes user group 4-21-2015
 
Scale into Multi-Cloud with Containers
Scale into Multi-Cloud with ContainersScale into Multi-Cloud with Containers
Scale into Multi-Cloud with Containers
 
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)
 
Role based access control
Role based access controlRole based access control
Role based access control
 
Forecast 2014: TOSCA: An Open Standard for Business Application Agility and P...
Forecast 2014: TOSCA: An Open Standard for Business Application Agility and P...Forecast 2014: TOSCA: An Open Standard for Business Application Agility and P...
Forecast 2014: TOSCA: An Open Standard for Business Application Agility and P...
 
CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?
 

Ähnlich wie Building IAM for OpenStack

CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersDataWorks Summit
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceOpenStack
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Leadex Systems
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersTobias Koprowski
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldSitaraman Lakshminarayanan
 
2015.04.23 Azure Mobile Services
2015.04.23 Azure Mobile Services2015.04.23 Azure Mobile Services
2015.04.23 Azure Mobile ServicesMarco Parenzan
 
Jan19 scim webinar-04
Jan19 scim webinar-04Jan19 scim webinar-04
Jan19 scim webinar-04Paul Madsen
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Open shift and docker - october,2014
Open shift and docker - october,2014Open shift and docker - october,2014
Open shift and docker - october,2014Hojoong Kim
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenNCCOMMS
 
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed WorldCIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed WorldCloudIDSummit
 

Ähnlich wie Building IAM for OpenStack (20)

CIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve MartinelliCIS 2015- Building IAM for OpenStack- Steve Martinelli
CIS 2015- Building IAM for OpenStack- Steve Martinelli
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack Keystone
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
 
Null talk
Null talkNull talk
Null talk
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021Moscow MuleSoft meetup May 2021
Moscow MuleSoft meetup May 2021
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginners
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
2015.04.23 Azure Mobile Services
2015.04.23 Azure Mobile Services2015.04.23 Azure Mobile Services
2015.04.23 Azure Mobile Services
 
Jan19 scim webinar-04
Jan19 scim webinar-04Jan19 scim webinar-04
Jan19 scim webinar-04
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
Open shift and docker - october,2014
Open shift and docker - october,2014Open shift and docker - october,2014
Open shift and docker - october,2014
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed WorldCIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Building IAM for OpenStack

  • 1. Building IAM for OpenStack Steve Martinelli Software Developer, IBM Keystone Core
  • 2. Agenda ● OpenStack and Keystone Overview ● Identity Sources ● Authentication ● Identity Federation ● Access Management Model in OpenStack ● Future Plans
  • 3. OpenStack and Keystone: The Quick Overview!
  • 4. OpenStack Overview ● OpenStack is a cloud operating system that controls large pools of compute, storage, and networking resources throughout a datacenter, all managed through a rich set of APIs and a dashboard that gives administrators control while empowering their users to provision resources through a web interface ● OpenStack’s goals are to support interoperability between cloud services and allow businesses to build AWS-like cloud services in their own data centers ● Available as Free and Open Source under the Apache 2.0 license Keystone - provides authentication and authorization for all the services. Nova - provides virtual machines (VMs) Swift - supports object storage. Cinder - persistent block storage to VMs. Glance - catalog and repository for virtual disk images. Horizon - Web-based interface for services. Neutron - networking-as-a-service between interface devices
  • 5. Lots of different companies using OpenStack A lot of individuals and companies have contributed to making Keystone awesome (just to name a few…)
  • 6. Keystone Overview ● OpenStack’s Identity and Access Management (IAM) Service ○ Authentication ○ Authorization ○ Audit ○ Identity ○ OpenStack Service Discovery ● Supports integration with a variety of Identity Providers ● Pluggable authentication architecture ● Supports multiple API Authorization Token formats ● New enhancements include support for standard federation protocols ● Access management for all OpenStack services
  • 7. Scale of Keystone Deployments Small ● Developer environments have OpenStack “all-in-one” deployments ● Devstack is used by most developers to spin up a deployment with compute/storage/networking/identity Medium ● Single datacenter ● Multiple Keystone instances using HAProxy for load balancing Large ● Several OpenStack deployments spread over many geographically disperse areas ● Multiple Keystone instances using HAProxy for load balancing and SQL/LDAP replication to keep data in synchronized Very Large / Multiple Organizations (Hybrid/Composite) ● Many OpenStack deployments spread over many geographically disperse areas ● Uses Federated Identity to allow near-seamless access to all deployments ● Some deployments will provide specific services / features
  • 9. SQL ● Users, groups, and credentials are managed by Keystone ● Settings for connecting to a database are handled in Keystone’s config file ● Essentially, Keystone is acting as an Identity Provider ● Pros: ○ Easy to setup ○ Management of users and groups through OpenStack APIs ● Cons: ○ Keystone shouldn’t be an Identity Provider ○ Weak password support  No password rotation  No password recovery  No password enforcement  No failed login attempt lockout support ○ Most enterprises have an LDAP server that they want to use ○ Identity silo - Yet another username and password users must remember Use Case: - Testing or developing with OpenStack - Saving OpenStack service accounts
  • 10. LDAP ● Keystone accessing LDAP should act just like any other application ● Keystone operations performed on LDAP ○ User/Group lookup (search) ○ Authentication of users (bind) ● What rights does Keystone need in LDAP? ○ Read access to user/group attributes defined in keystone.conf ○ Unprivileged account or anonymous is preferable ○ Access to password hashes is not needed Use Case: - It’s already in place in your enterprise - Able to create the necessary service accounts
  • 11. Multiple Backends ● As of the Juno release, Keystone supports multiple backends ● One domain per backend ● The default domain must be the SQL backend, it is used to host service accounts ○ Ideally, the default domain should be normal users (LDAP), but this requires service accounts to know how to use the v3 API ○ Support for services accounts outside the default domain will be available in a future release ● Any additional LDAP backends should be managed by their own domain Use Case: - Preferred approach for most enterprises
  • 12. Identity Provider (IdP) ● A source for identities (Internal IdP, Google, Facebook, Twitter) ● Handles authentication and provides identity information ● Usually backed by LDAP, but could be something else, like AD (Active Directory) ● Essentially, software that abstracts out the actual backend and translates user attributes to a standard protocol format (SAML, OpenID Connect, etc.) ● If you’ve ever used your Gmail account to sign into another online application… then you’ve used Google as the Identity Provider and the other application as the Service Provider Use Case: - Leverage new Federated Identity - An IdP already exists - Non-LDAP identity source
  • 14. Password ● User provides their username and password ● Keystone returns a token that the user may use at other OpenStack services ● The token will eventually expire (configured in Keystone) ● Used for initially logging into Keystone or setting up service accounts for other OpenStack services Token Token Password
  • 15. Token ● Users can exchange their existing (valid) token for a newer token ● Also satisfies the case where a user can receive an unscoped token (initially), and exchange that for a scoped token ● Used by federation client code Token Token Token Supports Kerberos too!
  • 16. Access Management Model in OpenStack
  • 17. Access Management Model in OpenStack ● Access is controlled by RBAC and endpoint validation Use Case: If a user wants to start a VM, what is the full flow? 1. Authenticate with Keystone, specifies their user name, password, and project associated with the VM 2. The user gets back a token that is scoped to that project, it carries authorization data within it (a set of roles the user has on that project) NOTE: The role could have been granted at the user level or group level 1. The user makes a requests to the start server API (/v2/​{tenant_id}​/servers/​{server_id}​/action) with the header "X-Auth-Token: <new_token>" 2. Depending on the policy set for the API, the user’s request will be rejected or successful
  • 18. What does a Keystone token look like? { "token": { "issued_at": "201406-10T20:55:16.806027Z", "expires_at": "2014-06-10T2:55:16.806001Z", "roles": [{ "id": "c703057be878458588961ce9a0ce686b", "name": "admin"} ], "project": { "domain": { "id": "default", "name": "Default" }, "id": "8538a3f13f9541b28c2620eb19065e45", "name": "admin" }, "user": { "domain": { "id": "default", "name": "Default" }, "id": "3ec3164f750146be97f21559ee4d9c51", "name": "admin" }, "catalog": [ { "endpoints": [...], "type": "identity", "id": "bd73972c0e14fb69bae8ff76e112a90", "name": "keystone" } ] } } << Roles represents the roles that the user has on the resource << Project represents the resource the user has a role on. From the scope in the request << User represents the user that was issued the token << Catalog describes the different services a user may access, and their various endpoints Services may be: compute, identity, image, orchestration, etc
  • 19. Access Management Model in OpenStack How to determine if a user can perform an action? ● All APIs are documented in a policy.json file ● A policy file is broken up into Targets and Rules ● Targets map to a specific API ● Rules are a set of simple or complex checks (RoleCheck, RuleCheck, OrCheck, AndCheck) ● For example… compute:start maps to /v2/​{tenant_id}​/servers/​{server_id}​/action definitions targets rules
  • 21. Federated Identity ● Users can exist in an identity store that is not accessible by Keystone, or is owned by a different entity ● Keystone federation allows for users identity to be provided as a part of the authentication request ○ Identity info is provided as environment variables ● Keystone is protocol agnostic, all federation protocol details are handled by Apache HTTPD modules ○ SAML - mod_shib, mod_auth_mellon ○ OpenID Connect - mod_auth_openidc ● Terminology ○ Identity Provider (IdP) ■ Trusted provider of identity information ○ Service Provider (SP) ■ Service that consumes identity information (Keystone) ○ Assertion ■ Trusted representation of identity attributes issued by IdP for consumption by SP ■ If using SAML, the assertion represents identity attributes ■ If using OpenID Connect, the assertion is a set of claims
  • 22. Mapping Engine ● Groups are created in Keystone's identity backend for the purpose of role assignment ○ Mapping establishes group membership ● Federation specific auth URL is used to obtain an unscoped token ○ Simply identifies user and groups ● Unscoped federation token is used to obtain a scoped token ○ Contains group assigned roles
  • 28. Single Sign-On ● The most demanded Federation feature in OpenStack is finally here! ● Cross project work item between Keystone and Horizon. ○ Work items in three different projects: Keystone, Horizon and django_openstack_auth ● Classic Web Single Sign-On experience in Horizon ○ Protocol agnostic (supports SAML, OpenID Connect, Kerberos, etc.) ○ Keystone still acts as a Service Provider ○ Provides users with familiar branding ○ One less password for Keystone and Horizon to see
  • 29. ● When the user loads Horizon, they can select the protocol desired, or use the old service accounts Single Sign-On GUI Flow
  • 30. ● Once a federated protocol is selected, the branded login page will appear Single Sign-On GUI Flow
  • 31. ● When authenticated with their Identity Provider, the user will be logged into Horizon Single Sign-On GUI Flow
  • 39. Keystone 2 Keystone Federation ● Federating Identities from one deployment to another ○ Works almost identically to the normal Federated Identity Flow Except the originating SAML IdP is another Keystone ○ Trust relationship between each deployment must be explicitly setup ○ Leverages Identity Provider Initiated SAML Flow: ● User authenticates with their own cloud ● Exchanges token for an assertion ● Forwards the assertion to another cloud ● User now has a token for the remote cloud Highlighted at the Keynote of the last OpenStack summit!
  • 40. Keystone 2 Keystone Architecture Keystone Nova Glance Keystone Nova Glance Local Cloud Remote Cloud A. Add Remote Cloud as a Service Provider B. Add Local Cloud as an Identity Provider One time setup performed by cloud admins Local Cloud User
  • 42. Future Plans ● MFA - Rackspace has proposed an MFA specification that is in progress ○ Would be pluggable so vendors can implement their own MFA ● Federated Identity Enhancements (polish off rough edges from Federated Identity Keynote) ○ Better client experience ○ Easier mapping rules ● Authorization Enforcement (Tokenless Auth) ○ Use X509 instead of passwords ○ No token needed (with X509) for interacting with Keystone CRUD interfaces ● Dynamic Policy ○ Rather than relying on the policy files themselves, this data should be stored in a database and cached
  • 45. Title and Abstract Title: Building IAM for OpenStack Abstract: Keystone is the IAM project for OpenStack, and as such has to handle many different methods of deployment – On-Prem, Hybrid, Hosted – at many differing levels of scale. Some deployments are no more than a VM used for development purposes, while others are 100,000s of cores across multiple data centers and continents. This session will cover details of Keystone, what can be accomplished with it today, how OpenStack integrates with your enterprise identity solution, federated identity across OpenStack deployments, the OpenStack model of access management today, and our plans for the future.
  • 46. not so pretty agenda to keep for slide titling (ICK!) ● Keystone in two minutes or less! ○ Keystone Overview ○ Identity API vs Keystone ○ Scale of Keystone Deployments (1 vm to 1000s of physical machines) ● Identity Sources ○ Direct Connect (SQL, LDAP, Multiple Backends, SSSD) ○ Identity Provider (IdP) ○ Use Cases ● Authentication ○ Password ○ Token ○ External (Kerberos, x509, etc) ○ Multi-Factor ● Identity Federation ○ Federation (SAML, OpenID Connect, ABFAB, etc) ○ Keystone2Keystone Identity Federation ○ Web Single Sign-On ● Access Management Model in OpenStack ○ RBAC ○ Authorization ○ Endpoint Validation of AuthZ ● Future Plans ○ Enhancements to Direct Identity Sources ○ Federated Identity ○ Authorization Enforcement ● Closing statements
  • 47. Keystone Auth Token Middleware ● A common authentication protocol used between OpenStack projects ● Added to the paste pipeline of other projects
  • 48. SSSD ● Available in a future release of OpenStack as an Identity Source ● Identity information lookup can be offloaded to the underlying platform using SSSD ● Eliminates the complexity of LDAP handling within Keystone ● SSSD - System Security Services Daemon ○ Provides access to remove authentication and identity sources (FreeIPA, Active Directory, LDAP) ○ Support caching for high performance and fault tolerance ○ Supports failover for fault tolerance ○ Integrates via PAM, NSS, and DBUS ● mod_lookup_identity ○ Performs lookup of identity attributes from SSSD via DBUS ○ Provides identity attributes as environment variables to web applications ● mod_auth_* + mod_lookup_identity looks exactly the same as federation from the perspective of Keystone!
  • 49. Multi-Factor Authentication ● When knowing a password is not enough ● These factors could be: ○ knowledge based (questions) ○ possession based (security tokens, text messages) ○ inherence based (biometrics) ● FreeIPA has support for (One Time Password) OTP ○ Keystone can work with it via it’s LDAP identity driver or via SSSD (federated LDAP) ○ HOTP/TOTP tokens (Yubikey, FreeOTP, Google Authenticator) ● Rackspace has proposed an MFA specification that is in progress ○ Would be pluggable so vendors can implement their own MFA

Hinweis der Redaktion

  1. *
  2. *
  3. *
  4. *
  5. *
  6. *
  7. *
  8. *
  9. *
  10. *
  11. *
  12. *
  13. *
  14. *
  15. *
  16. *
  17. *
  18. *
  19. *
  20. *
  21. *
  22. *
  23. *
  24. *
  25. *
  26. *
  27. *
  28. *
  29. *
  30. *
  31. *
  32. *
  33. *
  34. *
  35. *
  36. *
  37. *
  38. *
  39. *
  40. *
  41. *
  42. *
  43. *
  44. *
  45. *
  46. *
  47. *
  48. *
  49. *