SlideShare a Scribd company logo

Identity in Openstack Icehouse

Download as PPTX, PDF
David Waite, profile picture
David Waite

The document provides an overview of OpenStack, a cloud computing platform designed for both private and public clouds, highlighting its modular architecture and open-source principles. Key components such as Keystone for identity management, various storage and networking functionalities, and integration options with existing identity systems are discussed. The document also addresses future developments, including support for SAML and OpenID connect for single sign-on and hybrid cloud use cases.

Software
1 of 23
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
pingidentity.com
IDENTITY AND OPENSTACK ICEHOUSE David Waite Technical Architect, Ping Labs Ping Identity 2
Contents 3 • What is OpenStack • What components are in OpenStack • Keystone, the Identity component of OpenStack • Tokens • Integration • Federation • What's coming?
What is OpenStack? 4 • Cloud Computing Platform • Infrastructure-as-a-Service • Used for private and public clouds • Multi-tenant (project)
What is OpenStack? 5 • Strives for Openness: • Source • Standards • Design • Development • Community • Modular architecture promoting individual projects
Who uses OpenStack? 6 • Targeting service offerings, enterprises, and government/academic institutions • Industries like IT, telco, SaaS, Finance and Healthcare • Name Dropping • Paypal, Best Buy, Comcast, CERN
Cloud Stack 7
Continuum 8
Cloud Environments 9
OpenStack Architecture 10 What does OpenStack Provide? 10 Function Purpose Compute Virtual Machines, management of underlyingCPU/Memoryusage(EC2) Network SoftwareDefinedNetworkingandLoadBalancing Storage Object andBlock storage(EC2/EBS,AzureBlobStorage) Image Virtual Machineimagemanagement Telemetry Metricsonusageof infrastructureresources Dashboard User Interfacefor controlling/inspectinginfrastructure Database DatabaseasaService Identity ManageAPI andadministrativeaccesstoeverythingelse
Identity, AKA Keystone 11 • Identity Services for all of OpenStack • Authentication • Coarse authorization • Facade for existing identity systems • Token-based access • Catalog of service endpoints • Policy storage for RBAC
Security of Tiers Differ 12
Integration 13 • OpenStack supports several integration options • User Directories • LDAP (read-only and read-write) • SQL • Key-Value Store • Authentication • Password • External via HTTP Server (X.509, Kerberos,
Keystone Tokens 14 • Represents authorization • Scoped to a Project* • Bearer tokens only • All API Secured with Tokens
Keystone Tokens 15 • Two formats • Opaque (UUID) • Structured (PKI) • Limited Lifetime (1 - 24hr) • No token refresh • Revocable
Authentication 16
Token 17
Typical API call 18
Federation 19 • Icehouse now supports SAML • Via the Shibboleth Open Source project • SAML Web SSO and ECP (Enhanced Client) profiles • No Web UI support • Exchange SAML for token
Hybrid Cloud 20
Hybrid Cloud Uses 21 • Grow from Private to Public cloud • Seasonal Load or Dynamic Load • Migrate resources between Private/Public cloud • Sharing relationships across Private infrastructure
What’s Coming (with Caveats) 22 • Domain-specific Authentication Drivers • SAML SSO Support for Horizon • Administrators logging into console with Federation • OpenID Connect support • Alternate (social) protocol for SSO
23 Questions?

More Related Content

PPTX
Intro to CloudStack
Joe Brockmeier
 
PPTX
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
cloud-diva
 
PPTX
Geek Sync | Taking Your First Steps to the Cloud—Building a Hybrid Model
IDERA Software
 
PDF
Developing microservices with wildfly swarm and deploying on openshift
andreas kuncoro
 
PDF
Build 2014 - Running Java and Oracle Applications on Microsoft Azure
Brian Benz
 
KEY
Rich Internet Applications and Flex - 3
Vijay Kalangi
 
PPTX
Securing an Azure Function REST API with Azure Active Directory
Rick van den Bosch
 
PPTX
presentation of VDI in a box
Kashan Nawaz
 
Intro to CloudStack
Joe Brockmeier
 
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
cloud-diva
 
Geek Sync | Taking Your First Steps to the Cloud—Building a Hybrid Model
IDERA Software
 
Developing microservices with wildfly swarm and deploying on openshift
andreas kuncoro
 
Build 2014 - Running Java and Oracle Applications on Microsoft Azure
Brian Benz
 
Rich Internet Applications and Flex - 3
Vijay Kalangi
 
Securing an Azure Function REST API with Azure Active Directory
Rick van den Bosch
 
presentation of VDI in a box
Kashan Nawaz
 

What's hot (20)

PPTX
Sqlite Introduction
Praveen Nair
 
PPTX
Visual Studio LightSwitch
Danijel Malik
 
PDF
Mobile Offline First
Julio Castro
 
PDF
Building Advanced RESTFul services
Ortus Solutions, Corp
 
PPTX
SOA Doing Right
Schezarnie Racip
 
PPTX
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
CloudHesive
 
PDF
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
DevClub_lv
 
PDF
CloudCast
GeneXus
 
PDF
CIS14: Identity in OpenStack Icehouse
CloudIDSummit
 
PDF
Introduction to stratos live
WSO2
 
POTX
Serverless
Alkin Tezuysal
 
PPT
Cloud comptuting
logeshprabu
 
PPTX
Gab 2015 aymeric weinbach azure iot
Aymeric Weinbach
 
PPTX
Azure intoduksjon for it pro 02 data protection public
Morgan Simonsen
 
PPTX
Backendless 3.0 Overview
Mark Piller
 
PPTX
Choosing the right Cloud Database
Janakiram MSV
 
PPT
Distributed, Concurrent, and Independent Access to Encrypted Cloud Databases
JPINFOTECH JAYAPRAKASH
 
PPTX
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Sanjay Willie
 
PDF
Introduction to the Globus SaaS (GlobusWorld Tour - STFC)
Globus
 
PPTX
Headless CMS. Sitecore JSS getting started, tips and tricks
Artsem Prashkovich
 
Sqlite Introduction
Praveen Nair
 
Visual Studio LightSwitch
Danijel Malik
 
Mobile Offline First
Julio Castro
 
Building Advanced RESTFul services
Ortus Solutions, Corp
 
SOA Doing Right
Schezarnie Racip
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
CloudHesive
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
DevClub_lv
 
CloudCast
GeneXus
 
CIS14: Identity in OpenStack Icehouse
CloudIDSummit
 
Introduction to stratos live
WSO2
 
Serverless
Alkin Tezuysal
 
Cloud comptuting
logeshprabu
 
Gab 2015 aymeric weinbach azure iot
Aymeric Weinbach
 
Azure intoduksjon for it pro 02 data protection public
Morgan Simonsen
 
Backendless 3.0 Overview
Mark Piller
 
Choosing the right Cloud Database
Janakiram MSV
 
Distributed, Concurrent, and Independent Access to Encrypted Cloud Databases
JPINFOTECH JAYAPRAKASH
 
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Sanjay Willie
 
Introduction to the Globus SaaS (GlobusWorld Tour - STFC)
Globus
 
Headless CMS. Sitecore JSS getting started, tips and tricks
Artsem Prashkovich
 
Ad

Viewers also liked (6)

PDF
RESTvsSOAP
Anis Nasir
 
PPTX
SOAP vs REST
Nadia Boumaza
 
PDF
REST and REST-fulness
David Waite
 
PPT
Separating REST Facts from Fallacies
Alan Dean
 
PDF
Introducing MagnetoDB, a key-value storage sevice for OpenStack
Mirantis
 
PPTX
Compare DynamoDB vs. MongoDB
Amar Das
 
RESTvsSOAP
Anis Nasir
 
SOAP vs REST
Nadia Boumaza
 
REST and REST-fulness
David Waite
 
Separating REST Facts from Fallacies
Alan Dean
 
Introducing MagnetoDB, a key-value storage sevice for OpenStack
Mirantis
 
Compare DynamoDB vs. MongoDB
Amar Das
 
Ad

Similar to Identity in Openstack Icehouse (20)

PPTX
Building IAM for OpenStack
Steve Martinelli
 
PPTX
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
PDF
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
PPTX
OpenStack Keystone
Deepti Ramakrishna
 
PDF
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
PPTX
TOWARDS Hybrid OpenStack Clouds in the Real World
Andrew Hickey
 
PPTX
OpenStack Paris 2014 - Federation, are we there yet ?
Tim Bell
 
PPTX
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
PPTX
Identity service keystone ppt
university of Gujrat, pakistan
 
PPTX
Workshop - Openstack, Cloud Computing, Virtualization
Jayaprakash R
 
PPTX
Openstack workshop @ Kalasalingam
Beny Raja
 
PPT
OpenStack - An Overview
graziol
 
PPT
Shmoocon 2013 - OpenStack Security Brief
openfly
 
PDF
Open cloud infrastructure built for the enterprise
RedHatInc
 
PPTX
Aptira presents OpenStack keystone identity service
OpenStack
 
PDF
OpenStack keystone identity service
openstackindia
 
PPTX
Openstack 101
Jason Kalai Arasu
 
PDF
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CloudIDSummit
 
PDF
OpenStack- A ringside view of Services and Architecture
Ritesh Somani
 
PDF
Red Hat presentatie: Open stack Latest Pure Tech
ProxyServices
 
Building IAM for OpenStack
Steve Martinelli
 
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
OpenStack Keystone
Deepti Ramakrishna
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
TOWARDS Hybrid OpenStack Clouds in the Real World
Andrew Hickey
 
OpenStack Paris 2014 - Federation, are we there yet ?
Tim Bell
 
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
Identity service keystone ppt
university of Gujrat, pakistan
 
Workshop - Openstack, Cloud Computing, Virtualization
Jayaprakash R
 
Openstack workshop @ Kalasalingam
Beny Raja
 
OpenStack - An Overview
graziol
 
Shmoocon 2013 - OpenStack Security Brief
openfly
 
Open cloud infrastructure built for the enterprise
RedHatInc
 
Aptira presents OpenStack keystone identity service
OpenStack
 
OpenStack keystone identity service
openstackindia
 
Openstack 101
Jason Kalai Arasu
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
CloudIDSummit
 
OpenStack- A ringside view of Services and Architecture
Ritesh Somani
 
Red Hat presentatie: Open stack Latest Pure Tech
ProxyServices
 

Recently uploaded (20)

PDF
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
PDF
Website Design Services for Small Businesses.pdf
ecomme9
 
PDF
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
assetexplorer- product-overview - presentation
nonameist3434
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
Website Design Services for Small Businesses.pdf
ecomme9
 
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 

Identity in Openstack Icehouse

  • 2. IDENTITY AND OPENSTACK ICEHOUSE David Waite Technical Architect, Ping Labs Ping Identity 2
  • 3. Contents 3 • What is OpenStack • What components are in OpenStack • Keystone, the Identity component of OpenStack • Tokens • Integration • Federation • What's coming?
  • 4. What is OpenStack? 4 • Cloud Computing Platform • Infrastructure-as-a-Service • Used for private and public clouds • Multi-tenant (project)
  • 5. What is OpenStack? 5 • Strives for Openness: • Source • Standards • Design • Development • Community • Modular architecture promoting individual projects
  • 6. Who uses OpenStack? 6 • Targeting service offerings, enterprises, and government/academic institutions • Industries like IT, telco, SaaS, Finance and Healthcare • Name Dropping • Paypal, Best Buy, Comcast, CERN
  • 10. OpenStack Architecture 10 What does OpenStack Provide? 10 Function Purpose Compute Virtual Machines, management of underlyingCPU/Memoryusage(EC2) Network SoftwareDefinedNetworkingandLoadBalancing Storage Object andBlock storage(EC2/EBS,AzureBlobStorage) Image Virtual Machineimagemanagement Telemetry Metricsonusageof infrastructureresources Dashboard User Interfacefor controlling/inspectinginfrastructure Database DatabaseasaService Identity ManageAPI andadministrativeaccesstoeverythingelse
  • 11. Identity, AKA Keystone 11 • Identity Services for all of OpenStack • Authentication • Coarse authorization • Facade for existing identity systems • Token-based access • Catalog of service endpoints • Policy storage for RBAC
  • 12. Security of Tiers Differ 12
  • 13. Integration 13 • OpenStack supports several integration options • User Directories • LDAP (read-only and read-write) • SQL • Key-Value Store • Authentication • Password • External via HTTP Server (X.509, Kerberos,
  • 14. Keystone Tokens 14 • Represents authorization • Scoped to a Project* • Bearer tokens only • All API Secured with Tokens
  • 15. Keystone Tokens 15 • Two formats • Opaque (UUID) • Structured (PKI) • Limited Lifetime (1 - 24hr) • No token refresh • Revocable
  • 19. Federation 19 • Icehouse now supports SAML • Via the Shibboleth Open Source project • SAML Web SSO and ECP (Enhanced Client) profiles • No Web UI support • Exchange SAML for token
  • 21. Hybrid Cloud Uses 21 • Grow from Private to Public cloud • Seasonal Load or Dynamic Load • Migrate resources between Private/Public cloud • Sharing relationships across Private infrastructure
  • 22. What’s Coming (with Caveats) 22 • Domain-specific Authentication Drivers • SAML SSO Support for Horizon • Administrators logging into console with Federation • OpenID Connect support • Alternate (social) protocol for SSO

Editor's Notes

  • #5: OpenStack tenants are referred to as projects
  • #8: A diagram representing IaaS, PaaS, and SaaS. Applications may be leveraging a cloud platform, or be using the infrastructure directly
  • #9: The tradeoff as you get higher level of abstractions is that you gain simplicity and are put on track for higher scalability, but lose control. By using open source tools, organizations can regain some of that control
  • #10: There are three cloud environments - private, on premise clouds, externally hosted clouds run on dedicated hardware for the customer, and public clouds like EC2 or Rackspace Cloud where you are using a portion of the infrastructure and being billed based on usage. Enterprise solutions like VMWare are attempting to move into the market on the right, while OpenStack is attempting to move left
  • #11: Openstack has Compute, Network, and Storage resources. Across all these components, you have the Dashboard which provides management UI, and the Identity layer which provides authentication for all the components
  • #13: It is important to realize that configuration of infrastructure may have different identity needs and be a different authentication domain than the compute resources on top, and that the operating system being virtualized may still have different needs than end user content. Keystone targets the needs of the IaaS administration specifically
  • #14: Keystone operates as a facade against existing systems. You may put all the information into an LDAP, although it is perhaps more typical to set up a SQL database to store information in an enterprise environment, rather than give Keystone write access. You may also set up keystone to operate from just a SQL database. For authentication, you can perform password authentication, or can use authentication functionality implemented by a fronting proxy for Kerberos and X.509 client certificate authentication.
  • #15: At its core, keystone is about authenticating users and issuing tokens to be used for API calls. These tokens would be reusable if captured, so they must be sent over a secured transport. Tokens are scoped to a project or to a domain. Projects can share security settings in keystone via a local concept called domains. Two models are supported for tokens - a UUID reference to the user information, and PKI-based token which contains the information locally. There is no refresh mechanism for tokens, so while they have a limited lifetime, this is usually set to be at least 24 hours.
  • #16: At its core, keystone is about authenticating users and issuing tokens to be used for API calls. These tokens would be reusable if captured, so they must be sent over a secured transport. Tokens are scoped to a project or to a domain. Projects can share security settings in keystone via a local concept called domains. Two models are supported for tokens - a UUID reference to the user information, and PKI-based token which contains the information locally. There is no refresh mechanism for tokens, so while they have a limited lifetime, this is usually set to be at least 24 hours.
  • #18: The tokens issued always contain a user and role assignments. They almost always contain a scope limiting them to operate either at the level of a particular domain, or a particular project. Finally, they may contain extra metadata from the authentication system.
  • #19: API Requests to the various services in Openstack in pass a token in the header of a request. The service has a policy which it received from keystone, which contains rules that it uses to evaluate whether the request is authorized. If access is authorized, the service performs whatever action is appropriate for the API and returns a response. As this flow is so common, keystone provides both clients and server filters for openstack projects as well as third party clients and components.
  • #20: OpenStack has a new release every six months with alphabetically increasing names. For the most recent Icehouse release, SAML functionality was added by leveraging the Shibboleth project. Shibboleth’s Apache-based service provider acts as a filter on authentication requests. This provides SAML Web SSO and ECP profile support for acquiring tokens. However, this is only meant for gaining an API token. There is not yet support for having the Dashboard component, which provides administrator-facing web configuration UI, to authenticate the administrator via SAML.
  • #21: Federation is exciting because it simplifies the concept of a hybrid cloud. With universal access to standardized API to configure domains, you may write tools that would set up infrastructure in remote environments the same way you would do so locally. Components can move from one cloud to another, infrastructure can scale from the internal environment to third party providers based on load, and organizations can make decisions to share compute resources that are often under provisioned in a tit-for-tat arrangement.
  • #23: So whats coming? Nothing is set in stone, but there are efforts underway to enable some very useful functionality, some of which may land in the Juno timeframe: Today, you have a single identity system for your whole OpenStack installation. Going forward, you will be able to have different identity systems for different domains. While there currently is not browser SSO into the administrative dashboard, there are already efforts to extend the current SAML support to cover this. Likewise, the OpenID Connect protocol is completed and provides several interesting features, especially to organizations which haven’t already committed to using SAML. There have been experiments to support this protocol as well.