OpenStack Security
2 likes3,102 views
Keystone provides unified identity management for OpenStack. It offers authentication, a centralized token service, and policy management. Key capabilities include user/tenant models with role-based access control and pluggable backends. Keystone allows integration with existing authentication systems and provides a service catalog of available APIs and their endpoints.
![IBM Security Systems
Identity Service – Key Concepts
Identity Management RBAC
Tenant -> User -> [ Credential | Token | Role ] OpenStack has a configurable RBAC system that
Tenants have Users. Users can belong to many can be used to customize API access by Role.
tenants.
Users authenticate using a Credential and get a Role is given to a user in Keystone.
time-scoped Token.
Tenant + User pairs can have many roles. The API access is defined by a policy.json file that
is specific to each project (Nova example).
Service "Catalog"
Service -> Endpoint In Keystone, a token that is issued to a user
Services (e.g. Compute, Object Storage, Image includes the list of roles that user can assume.
Service) have many Endpoints. Endpoints are
typically a URL + where it is accessible from (e.g. Services that are being called by that user
internal, public) determine how they interpret the set of roles a user
has and which operations or resources each roles
grants access to.
6 © 2013 IBM Corporation](https://image.slidesharecdn.com/openstacksecurity-130319161411-phpapp01/85/OpenStack-Security-6-320.jpg)
OpenStack Security
- 1. IBM Security Systems OpenStack Security Sreekanth Iyer Executive IT Architect IBM Security Systems © 2013 IBM Corporation 1 © 2013 IBM Corporation
- 2. IBM Security Systems OpenStack - Core Projects / Components Compute (Nova) – Provision and manage virtual machines Dashboard (Horizon) – Self-service portal Image (Glance) – Catalog and manage server images Identity (Keystone) – Unified authentication, integrates with existing systems Object Storage (Swift) – petabytes of secure, reliable object storage Source: http://ken.pepple.info/openstack/2012/02/21/revisit-openstack-architecture-diablo/ 2 © 2013 IBM Corporation
- 3. IBM Security Systems Keystone (Identity Service) offers project-wide identity, token, service catalog, and policy service designed for integrate with existing systems Core Use Cases: • Authenticate user / password requests against multiple backends (SQL, LDAP, etc) (Identity Service) • Validates / manages tokens used after initial username/password verification (Token Service) • Endpoint registry of available services (Service Catalog) • Authorize API requests (Policy Service) Key Capabilities: • User / Tenant model with Role-Based Access Control • Policy service provides a rule-based authorization engine and the associated rule management interface. • Each service configured to serve data from pluggable backend (Key-Value, SQL, PAM, LDAP, Templates) • REST-based APIs 3 © 2013 IBM Corporation
- 4. IBM Security Systems Basic Concepts The Identity service has two primary functions: –User management: keep track of users and what they are permitted to do –Service catalog: Provide a catalog of what services are available and where their API endpoints are located 4 © 2013 IBM Corporation
- 5. IBM Security Systems Identity Service – Key terms Token A token is an arbitrary bit of text that is used to User access resource which is valid for a finite duration A digital representation of a person, system, or and can be revoked at anytime service Tenant Users have a login and may be assigned tokens to A container used to group or isolate resources access resources. and/or identity objects. Depending on the service Users may be directly assigned to a particular operator, a tenant may map to a customer, account, tenant organization, or project. Credentials Service Data that belongs to, is owned by, and generally An OpenStack service, such as Compute (Nova), only known by a user that the user can present to Object Storage (Swift), or Image Service (Glance). prove they are who they are for example – A service provides one or more endpoints through username/password which users can access resources and perform (presumably useful) operations. Authentication Endpoint Validate the user claims like a set of credentials (username& password, or username and API key). An network-accessible address, usually described by URL, where a service may be accessed. After initial confirmation, Keystone will issue the user a token which the user can then provide to Role demonstrate that their identity has been A personality that a user assumes when performing authenticated when making subsequent requests. a specific set of operations. A role includes a set of right and privileges. Source : http://docs.openstack.org/api/openstack-identity-service/2.0/content/identity-dev-guide-2.0.pdf 5 © 2013 IBM Corporation
- 6. IBM Security Systems Identity Service – Key Concepts Identity Management RBAC Tenant -> User -> [ Credential | Token | Role ] OpenStack has a configurable RBAC system that Tenants have Users. Users can belong to many can be used to customize API access by Role. tenants. Users authenticate using a Credential and get a Role is given to a user in Keystone. time-scoped Token. Tenant + User pairs can have many roles. The API access is defined by a policy.json file that is specific to each project (Nova example). Service "Catalog" Service -> Endpoint In Keystone, a token that is issued to a user Services (e.g. Compute, Object Storage, Image includes the list of roles that user can assume. Service) have many Endpoints. Endpoints are typically a URL + where it is accessible from (e.g. Services that are being called by that user internal, public) determine how they interpret the set of roles a user has and which operations or resources each roles grants access to. 6 © 2013 IBM Corporation
- 7. IBM Security Systems Keystone Workflow http://docs.openstack.org/trunk/openstack-compute/admin/content/keystone-concepts.html 7 © 2013 IBM Corporation
- 8. IBM Security Systems Configuring Services to work with Keystone Once Keystone is installed and running, services need to be configured to work with it. In general: Clients making calls to the service will pass in an authentication token. The Keystone middleware will look for and validate that token, taking the appropriate action. It will also retrieve additional information from the token such as user name, id, tenant name, id, roles, etc... The middleware will pass those data down to the service as headers. Keystone Auth-Token Middleware The Keystone auth_token middleware is a WSGI component that can be inserted in the WSGI pipeline to handle authenticating tokens with Keystone. Configuring Keystone for an LDAP backend It is possible to connect an LDAP backend with the Identity service Keystone. 8 © 2013 IBM Corporation
- 9. IBM Security Systems Keystone APIs Token Operations User Operations Tenant Operations 9 © 2013 IBM Corporation
- 10. IBM Security Systems Keystone – Observations & Enhancements Integration with enterprise security systems Support for Security Standards & Federation – Need to support external services for Authentication and Authorization i.e. OAuth, SAML and OpenID Audit, Compliance & Governance – Current logging mostly focused on debugging and monitoring; Need automated way to provide audit and assessment data Scalability and Performance – Need to scale and perform for enterprise grade deployments Support for Multi-tenancy & Keystone Domains 10 © 2013 IBM Corporation