Contenu connexe
Similaire à OpenStack Security
Similaire à OpenStack Security (20)
Plus de openstackindia (20)
OpenStack Security
- 2. IBM Security Systems
OpenStack - Core Projects / Components
Compute (Nova)
– Provision and manage
virtual machines
Dashboard (Horizon)
– Self-service portal
Image (Glance)
– Catalog and manage
server images
Identity (Keystone)
– Unified authentication,
integrates with existing
systems
Object Storage (Swift)
– petabytes of secure,
reliable object storage
Source: http://ken.pepple.info/openstack/2012/02/21/revisit-openstack-architecture-diablo/
2 © 2013 IBM Corporation
- 3. IBM Security Systems
Keystone (Identity Service) offers project-wide identity, token, service
catalog, and policy service designed for integrate with existing systems
Core Use Cases:
• Authenticate user / password requests against
multiple backends (SQL, LDAP, etc) (Identity
Service)
• Validates / manages tokens used after initial
username/password verification (Token
Service)
• Endpoint registry of available services (Service
Catalog)
• Authorize API requests (Policy Service)
Key Capabilities:
• User / Tenant model with Role-Based Access
Control
• Policy service provides a rule-based
authorization engine and the associated rule
management interface.
• Each service configured to serve data from
pluggable backend (Key-Value, SQL, PAM,
LDAP, Templates)
• REST-based APIs
3 © 2013 IBM Corporation
- 4. IBM Security Systems
Basic Concepts
The Identity service has two primary functions:
–User management: keep track of users and what
they are permitted to do
–Service catalog: Provide a catalog of what
services are available and where their API
endpoints are located
4 © 2013 IBM Corporation
- 5. IBM Security Systems
Identity Service – Key terms Token
A token is an arbitrary bit of text that is used to
User access resource which is valid for a finite duration
A digital representation of a person, system, or and can be revoked at anytime
service Tenant
Users have a login and may be assigned tokens to A container used to group or isolate resources
access resources. and/or identity objects. Depending on the service
Users may be directly assigned to a particular operator, a tenant may map to a customer, account,
tenant organization, or project.
Credentials Service
Data that belongs to, is owned by, and generally An OpenStack service, such as Compute (Nova),
only known by a user that the user can present to Object Storage (Swift), or Image Service (Glance).
prove they are who they are for example – A service provides one or more endpoints through
username/password which users can access resources and perform
(presumably useful) operations.
Authentication
Endpoint
Validate the user claims like a set of credentials
(username& password, or username and API key). An network-accessible address, usually described
by URL, where a service may be accessed.
After initial confirmation, Keystone will issue the
user a token which the user can then provide to Role
demonstrate that their identity has been A personality that a user assumes when performing
authenticated when making subsequent requests. a specific set of operations. A role includes a set of
right and privileges.
Source : http://docs.openstack.org/api/openstack-identity-service/2.0/content/identity-dev-guide-2.0.pdf
5 © 2013 IBM Corporation
- 6. IBM Security Systems
Identity Service – Key Concepts
Identity Management RBAC
Tenant -> User -> [ Credential | Token | Role ] OpenStack has a configurable RBAC system that
Tenants have Users. Users can belong to many can be used to customize API access by Role.
tenants.
Users authenticate using a Credential and get a Role is given to a user in Keystone.
time-scoped Token.
Tenant + User pairs can have many roles. The API access is defined by a policy.json file that
is specific to each project (Nova example).
Service "Catalog"
Service -> Endpoint In Keystone, a token that is issued to a user
Services (e.g. Compute, Object Storage, Image includes the list of roles that user can assume.
Service) have many Endpoints. Endpoints are
typically a URL + where it is accessible from (e.g. Services that are being called by that user
internal, public) determine how they interpret the set of roles a user
has and which operations or resources each roles
grants access to.
6 © 2013 IBM Corporation
- 7. IBM Security Systems
Keystone Workflow
http://docs.openstack.org/trunk/openstack-compute/admin/content/keystone-concepts.html
7 © 2013 IBM Corporation
- 8. IBM Security Systems
Configuring Services to work with Keystone
Once Keystone is installed and running, services need to be configured to work with it.
In general:
Clients making calls to the service will pass in an authentication token.
The Keystone middleware will look for and validate that token, taking the appropriate action.
It will also retrieve additional information from the token such as user name, id, tenant name,
id, roles, etc...
The middleware will pass those data down to the service as headers.
Keystone Auth-Token Middleware
The Keystone auth_token middleware is a WSGI component that can be inserted in the
WSGI pipeline to handle authenticating tokens with Keystone.
Configuring Keystone for an LDAP backend
It is possible to connect an LDAP backend with the Identity service Keystone.
8 © 2013 IBM Corporation
- 10. IBM Security Systems
Keystone – Observations & Enhancements
Integration with enterprise security systems
Support for Security Standards & Federation
– Need to support external services for Authentication and Authorization i.e. OAuth, SAML
and OpenID
Audit, Compliance & Governance
– Current logging mostly focused on debugging and monitoring; Need automated way to
provide audit and assessment data
Scalability and Performance
– Need to scale and perform for enterprise grade deployments
Support for Multi-tenancy & Keystone Domains
10 © 2013 IBM Corporation