SlideShare une entreprise Scribd logo

Keystone Federation

openstackindia
openstackindia

The document describes a proposed federated identity management system for OpenStack clouds. It defines a federation as an association of service providers and identity providers. The current implementation uses a 3-tuple model of authorization that needs to be expanded to a 5-tuple model to incorporate federation and multi-tenancy. The proposed system uses a 5-tuple of (Issuer, Subject, Privilege, Interface, Object) along with an RBAC model. It then describes a simple mechanism for federation where a client obtains various tokens - GAT, TAT, and RAT - to access resources across different clouds. Finally, it compares this proposed model to an existing 30-step blueprint, noting differences in entities, tokens

Technologie
1  sur  10
Télécharger pour lire hors ligne
Keystone Federation Anush V Meghana Prashanth Pramod Ramesh Dr. Dinkar Sitaram Center for Cloud computing and Big Data PESIT, Bangalore
Openstack A OpenstackB IdentityProvider 1 IdentityProvider 1 Services k Services l Openstack C IdentityProvider 1 Services m
Federation • A federation is defined as “an association comprising any number of service providers and identity providers.
Federated System • Current implementation of authorization is based on a 3-tuple implementation namely (Subject, Privilege, Object) • This needs to be modified to incorporate federation and multi-tenancy • The new system would have a structure in the form of a 5-tuple namely (Issuer, Subject, Privilege, Interface, Object) • We use an RBAC incorporated implementation • This new model which has RBAC changes the 5-tuple to (Issuer, role(Issuer, roleName), Privilege, Interface, Object)
(IssuerB, role(IssuerA, admin), Read, InterfaceB.1, root) is interpreted as IssuerB grants anybody with role(IssuerA, admin) Read access to the root folder of the file system provided by InterfaceB.1.
Our Implementation We have devised a simple mechanism for federation Scenario: Assume that the client is a tenant in some Home cloud A. They want access to resources in some remote cloud B. • GAT acquisition: the client sends to the gateway in A a GAT (Gateway Access Token) request that will allow it to access the gateway at B. The GAT is one of our 5-tuples. • TAT acquisition (Tenant Access Token) o The client sends the GAT, together with its certificate or authentication token, to the gateway at R requesting a TAT . o [The gateway at R contacts the gateway at H to validate the identity of the client.] o The gateway at R returns a TAT for the requested or all accessible tenants. The TAT is another of our 5-tuples. • RAT acquisition (Resource acquisition Token): o The client sends the TAT together with a request for a RAT to the policy engine on the tenant.This should be signed. o The policy engine sends the request to the gateway at R for verification of the signature o The policy engine sends back the RAT. The RAT is our 5-tuple.
Current implementation: All rules are stored here rules_dict : { abc: {role:[netadmin] , tenant_id:[mytenant] , def: {role:[computeadmin], tenant_id:[mytenant1]} Service Access Requirements match_list : {rule:abc} - Service determines what is the required policy to grant user access User Credentials cred_dict : { roles:[netadmin], tenant_id: [mytenant]} target_dict : {tenant_id: mytenant} Our implementation: All rules stored here rules_dict: { abc: {role:[issuerA:netadmin], tenant_id:[mytenant],interface:[myinterface] , def: {role:[issuerC:netadmin], tenant_id:[mytenant], interface:[myinterface]} Service Access Requirement match_list : {rule:abc} User Credentials target_dict : {tenant_id:mytenant} cred_dict : {roles:[issuerA:netadmin], tenant_id:[mytenant], interface:[myinterface]}
Current Federation Blueprint • The current blueprint for federation is given by David Chadwick • He talks about a 30 step procedure involving various entities like • AM – Attribute Mapper • ARP – Attribute Requirements Policy • IdP – Identity Provider • AA – Attribute Authority • There exists a global entity called Openstack Gateway (OG) which is a centralised control unit • OG contains trust relationships between AA, IdPs, etc. • Since all mappings are in OG there is a need to have globally identifiable attributes/roles given by IdPs, AAs • Existence of scoped and unscoped tokens (unclear)
Differences between the models • ARP does not exist in our model. Instead we feel directly sending the users credentials is enough • There is no explicit IdP in our model. Instead the authenticity of the user is validated by its gateway by looking at the user generated certificate • AM is not needed in our model • Our model has local gateways for each of the cloud service providers as compared to a common Openstack Gateway proposed by the blueprint • There are just normal tokens in our model. The blueprint talks about scoped and unscoped tokens
THANK YOU

Recommandé

Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
Steve Martinelli
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack Keystone
Deepti Ramakrishna
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directory
cjellick
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federated
jamielennox
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
Priti Desai
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 

Recommandé

Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
Steve Martinelli
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack Keystone
Deepti Ramakrishna
 
Integrating OpenStack with Active Directory
Integrating OpenStack with Active DirectoryIntegrating OpenStack with Active Directory
Integrating OpenStack with Active Directory
cjellick
 
Keystone: Federated
Keystone: FederatedKeystone: Federated
Keystone: Federated
jamielennox
 
Secure Keystone Deployment
Secure Keystone DeploymentSecure Keystone Deployment
Secure Keystone Deployment
Priti Desai
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
UT, San Antonio
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
Victor Morales
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
Jsonr4
 
A Brief Introduce to WSGI
A Brief Introduce to WSGIA Brief Introduce to WSGI
A Brief Introduce to WSGI
Mingli Yuan
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
StreamNative
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
Toni Ramirez
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
Kamesh Pemmaraju
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
chenvi123
 
What is the ServiceStack?
What is the ServiceStack?What is the ServiceStack?
What is the ServiceStack?
Demis Bellot
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
Elana Krasner
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security Patterns
VMware Tanzu
 
Strata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStrata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache Pulsar
Streamlio
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
Ashish Sharma
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
Mehdi Ali Soltani
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
openstackindia
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
Jesse Pretorius
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
aminmesbahi
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 

Contenu connexe

Tendances

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
UT, San Antonio
 
A Brief Introduce to WSGI
A Brief Introduce to WSGIA Brief Introduce to WSGI
A Brief Introduce to WSGI
Mingli Yuan
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
Ashish Sharma
 

Tendances (20)

OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014OpenStack GDL : Hacking keystone | 20 Octubre 2014
OpenStack GDL : Hacking keystone | 20 Octubre 2014
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
 
A Brief Introduce to WSGI
A Brief Introduce to WSGIA Brief Introduce to WSGI
A Brief Introduce to WSGI
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
 
Openstack Keystone
Openstack Keystone Openstack Keystone
Openstack Keystone
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
 
What is the ServiceStack?
What is the ServiceStack?What is the ServiceStack?
What is the ServiceStack?
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security Patterns
 
Strata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStrata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache Pulsar
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
 

Similaire à Keystone Federation

How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
VMware Tanzu
 
Service operator aware trust scheme for resource
Service operator aware trust scheme for resourceService operator aware trust scheme for resource
Service operator aware trust scheme for resource
jayaramb
 

Similaire à Keystone Federation (20)

.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Athenz introduction
Athenz introductionAthenz introduction
Athenz introduction
 
Null talk
Null talkNull talk
Null talk
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Netflix Play API: Why we built an evolutionary architecture
Netflix Play API: Why we built an evolutionary architectureNetflix Play API: Why we built an evolutionary architecture
Netflix Play API: Why we built an evolutionary architecture
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
Hyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveHyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep Dive
 
Blockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-diveBlockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-dive
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
 
PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.PRShare: a framework for privacy-preserving, interorganizational data sharing.
PRShare: a framework for privacy-preserving, interorganizational data sharing.
 
Service operator aware trust scheme for resource
Service operator aware trust scheme for resourceService operator aware trust scheme for resource
Service operator aware trust scheme for resource
 
Kks sre book_ch10
Kks sre book_ch10Kks sre book_ch10
Kks sre book_ch10
 

Plus de openstackindia

Role of sdn controllers in open stack
Role of sdn controllers in open stackRole of sdn controllers in open stack
Role of sdn controllers in open stack
openstackindia
 
Outreachy with-openstack-zaqar
Outreachy with-openstack-zaqarOutreachy with-openstack-zaqar
Outreachy with-openstack-zaqar
openstackindia
 
Enhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationEnhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world application
openstackindia
 
Openstack devops challenges
Openstack devops challenges Openstack devops challenges
Openstack devops challenges
openstackindia
 
Demistifying open stack storage
Demistifying open stack storageDemistifying open stack storage
Demistifying open stack storage
openstackindia
 

Plus de openstackindia (20)

Guts & OpenStack migration
Guts & OpenStack migrationGuts & OpenStack migration
Guts & OpenStack migration
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day India
 
OPNFV & OpenStack
OPNFV & OpenStackOPNFV & OpenStack
OPNFV & OpenStack
 
Your first patch to OpenStack
Your first patch to OpenStackYour first patch to OpenStack
Your first patch to OpenStack
 
OpenStack Neutron Behind The Senes
OpenStack Neutron Behind The SenesOpenStack Neutron Behind The Senes
OpenStack Neutron Behind The Senes
 
OpenStack Storage Buddy Ceph
OpenStack Storage Buddy CephOpenStack Storage Buddy Ceph
OpenStack Storage Buddy Ceph
 
OpenStack Watcher
OpenStack WatcherOpenStack Watcher
OpenStack Watcher
 
State of Containers in OpenStack
State of Containers in OpenStackState of Containers in OpenStack
State of Containers in OpenStack
 
The OpenStack Contribution Workflow
The OpenStack Contribution WorkflowThe OpenStack Contribution Workflow
The OpenStack Contribution Workflow
 
Introduction to Cinder
Introduction to CinderIntroduction to Cinder
Introduction to Cinder
 
OpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservicesOpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservices
 
OpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingOpenStack Tempest and REST API testing
OpenStack Tempest and REST API testing
 
Deploying openstack using ansible
Deploying openstack using ansibleDeploying openstack using ansible
Deploying openstack using ansible
 
Ceph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetupCeph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetup
 
Role of sdn controllers in open stack
Role of sdn controllers in open stackRole of sdn controllers in open stack
Role of sdn controllers in open stack
 
Outreachy with-openstack-zaqar
Outreachy with-openstack-zaqarOutreachy with-openstack-zaqar
Outreachy with-openstack-zaqar
 
Enhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationEnhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world application
 
Openstack devops challenges
Openstack devops challenges Openstack devops challenges
Openstack devops challenges
 
Demistifying open stack storage
Demistifying open stack storageDemistifying open stack storage
Demistifying open stack storage
 
OpenStack Heat
OpenStack HeatOpenStack Heat
OpenStack Heat
 

Dernier

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Dernier (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Keystone Federation

  • 1. Keystone Federation Anush V Meghana Prashanth Pramod Ramesh Dr. Dinkar Sitaram Center for Cloud computing and Big Data PESIT, Bangalore
  • 2. Openstack A OpenstackB IdentityProvider 1 IdentityProvider 1 Services k Services l Openstack C IdentityProvider 1 Services m
  • 3. Federation • A federation is defined as “an association comprising any number of service providers and identity providers.
  • 4. Federated System • Current implementation of authorization is based on a 3-tuple implementation namely (Subject, Privilege, Object) • This needs to be modified to incorporate federation and multi-tenancy • The new system would have a structure in the form of a 5-tuple namely (Issuer, Subject, Privilege, Interface, Object) • We use an RBAC incorporated implementation • This new model which has RBAC changes the 5-tuple to (Issuer, role(Issuer, roleName), Privilege, Interface, Object)
  • 5. (IssuerB, role(IssuerA, admin), Read, InterfaceB.1, root) is interpreted as IssuerB grants anybody with role(IssuerA, admin) Read access to the root folder of the file system provided by InterfaceB.1.
  • 6. Our Implementation We have devised a simple mechanism for federation Scenario: Assume that the client is a tenant in some Home cloud A. They want access to resources in some remote cloud B. • GAT acquisition: the client sends to the gateway in A a GAT (Gateway Access Token) request that will allow it to access the gateway at B. The GAT is one of our 5-tuples. • TAT acquisition (Tenant Access Token) o The client sends the GAT, together with its certificate or authentication token, to the gateway at R requesting a TAT . o [The gateway at R contacts the gateway at H to validate the identity of the client.] o The gateway at R returns a TAT for the requested or all accessible tenants. The TAT is another of our 5-tuples. • RAT acquisition (Resource acquisition Token): o The client sends the TAT together with a request for a RAT to the policy engine on the tenant.This should be signed. o The policy engine sends the request to the gateway at R for verification of the signature o The policy engine sends back the RAT. The RAT is our 5-tuple.
  • 7. Current implementation: All rules are stored here rules_dict : { abc: {role:[netadmin] , tenant_id:[mytenant] , def: {role:[computeadmin], tenant_id:[mytenant1]} Service Access Requirements match_list : {rule:abc} - Service determines what is the required policy to grant user access User Credentials cred_dict : { roles:[netadmin], tenant_id: [mytenant]} target_dict : {tenant_id: mytenant} Our implementation: All rules stored here rules_dict: { abc: {role:[issuerA:netadmin], tenant_id:[mytenant],interface:[myinterface] , def: {role:[issuerC:netadmin], tenant_id:[mytenant], interface:[myinterface]} Service Access Requirement match_list : {rule:abc} User Credentials target_dict : {tenant_id:mytenant} cred_dict : {roles:[issuerA:netadmin], tenant_id:[mytenant], interface:[myinterface]}
  • 8. Current Federation Blueprint • The current blueprint for federation is given by David Chadwick • He talks about a 30 step procedure involving various entities like • AM – Attribute Mapper • ARP – Attribute Requirements Policy • IdP – Identity Provider • AA – Attribute Authority • There exists a global entity called Openstack Gateway (OG) which is a centralised control unit • OG contains trust relationships between AA, IdPs, etc. • Since all mappings are in OG there is a need to have globally identifiable attributes/roles given by IdPs, AAs • Existence of scoped and unscoped tokens (unclear)
  • 9. Differences between the models • ARP does not exist in our model. Instead we feel directly sending the users credentials is enough • There is no explicit IdP in our model. Instead the authenticity of the user is validated by its gateway by looking at the user generated certificate • AM is not needed in our model • Our model has local gateways for each of the cloud service providers as compared to a common Openstack Gateway proposed by the blueprint • There are just normal tokens in our model. The blueprint talks about scoped and unscoped tokens