As users increase the integration of CloudStack into their offerings, federated authentication emerges as a critical operational need. This talk will survey the current single sign-on (SSO) landscape, and propose a design to integrate SSO providers into CloudStack without impacting smaller, standalone deployments.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Who the heck are you? Integrating CloudStack Authentication
1. WHO THE HECK ARE YOU?
INTEGRATING SSO INTO
APACHE CLOUDSTACK
John Burwell
(jburwell@apache.org | jburwell@basho.com
@john_burwell)
Tuesday, June 25, 13
2. Who The Heck Am I
• Apache CloudStack PMC Member
• Consulting Engineer @ Basho Technologies
• Ran operations and designed automated provisioning for hybrid
analytic/virtualization clouds
• Led architectural design and server-side development of a SaaS
physical security platform
Tuesday, June 25, 13
15. Some Users Require More
• Regulated environments (HIPPA, SOX)
• Enterprises with existing security infrastructure
• Service providers
Tuesday, June 25, 13
16. Authenticate Once, Access Many
CloudStack
User
Session
Ticket Object
Store
PaaS
Internal
Application
Tuesday, June 25, 13
38. Complicating Factors
• Potential single point of failure
• Additional service to configure, deploy, and monitor
• Potential performance/scalability bottleneck
Tuesday, June 25, 13
45. Next Release (4.3)
• Implement security framework
• Factor current CloudStack authentication/authorization into a
framework plugin
• Develop an SSO authentication framework plugin
• Current CloudStack authentication/authorization will be
configured by default
Tuesday, June 25, 13
46. We build a cloud orchestration platform.
Tuesday, June 25, 13
47. JAAS
• Pros
• Standard
• Cons
• Requires a JEE application server
• No runtime pluggability
Tuesday, June 25, 13
48. Spring Security
• Pros
• Robust declarative programming model
• Natural integration with current Spring implementation
• Cons
• Complex runtime extension model
• Increases coupling with Spring
Tuesday, June 25, 13
49. Apache Shiro
• Pros
• Straight-forward extension model
• Lightweight POJO model with support for Spring integration
• Cons
• May not be capable of meeting the data storage
requirements
Tuesday, June 25, 13
50. ... and the winner is
None yet but no JAAS
Tuesday, June 25, 13
51. Which SSO?
CAS
JOSSO
Keystone
Facebook Login
Google Single Sign-On
OpenID
Amazon IAM
ActiveDirectory
OracleIdentityManagementServer
IBM Security Access Manager
OAuth
SASL
SAML
KERBEROS
Multi-factor Authentication
Password hashing
Password Aging
PasswordStrength
Session Management
LDAP
Tuesday, June 25, 13
52. SSO Landscape
Protocols/Standards
Keystone, Kerberos, OAuth, OpenID,
SAML, SASL
Platforms
Amazon IAM,Active Directory, CAS,
Facebook Login, JOSSO, Google Single Sign-
On, Keystone, IBM Security Access
Manager, Oracle Identity Management
Methods/Operations
Multi-factor Authentication, Password
Reset, Remember me?
Policies
Password aging, strength, and hashing,
Session Management
Stores LDAP, Relational Databases
Tuesday, June 25, 13
53. Selection Criteria
• Protocols/Standards with open source implementations
• Allow the integration of additional cloud services (object
storage, PaaS, ...)
Finalists: OAuth, Keystone, and SAML
Tuesday, June 25, 13
54. OAuth/Oauth2
• Pros
• Wide adoption
• Support both user and application authentication
• Cons
• Turmoil around the OAuth2 specification
• Potential security holes due to design flaws
• Lack of support from complementary cloud technologies
Tuesday, June 25, 13
55. Keystone
• Pros
• Momentum
• Designed to support cloud identity management
• Supported by technologies complementary to CloudStack (e.g. Riak CS, Swift ...)
• Cons
• Limited, but growing to third party support
• Evolving standard specification and operation
Tuesday, June 25, 13
56. SAML
• Pros
• Stable specification
• Wide support
• Cons
• Complexity
• Lack of support from complementary cloud technologies
Tuesday, June 25, 13
58. Future Directions
• AWS API support for Amazon IAM
• Fine grained Authorization
• Automated Password Reset
• Application Audit Trails
• SAML Plugin
Tuesday, June 25, 13
59. Summary
• Current CloudStack authentication supports many use cases
• SSO integration would allow CloudStack to meet advanced
authentication requirements
• Introduce a security framework to provide users the flexility to
balance operational complexity and security
• For 4.3, factor current authentication mechanism into the new
framework and provide a Keystone implementation
Tuesday, June 25, 13