Cloud federation Are we there yet?
Marek Denis
CERN openlab Major Review
Geneva, Switzerland
› October 15-16 2014
2
Rackspace and CERN openlab
› Rackspace joined CERN openlab last year
› The project officially kicked off on October 1st 2013.
› We are contributing directly to the OpenStack
› …and received good feedback about the importance of the topic we are working on
15/10/2014 Marek Denis – CERN openlab
3
Cloud federation
“A federated cloud (also called cloud federation) is the deployment and management of multiple external and internal cloud computing services to match business needs. A federation is the union of several smaller parts that perform a common action.”
http://whatis.techtarget.com/definition/federated-cloud-cloud-federation
15/10/2014 Marek Denis– CERN openlab
4
Bringing old concepts into cutting edge technology
› First steps towards hybrid clouds
(Holy Grail of cloud computing)
› Federation allows for splitting authentication
and authorization
Security
Ease of configuration
Centralized Identity management
15/10/2014 Marek Denis– CERN openlab
5
How does CERN use it?
› CERN to join EduGAIN federation at the beginning
of the 2015 (allowing CERN to share cloud resources with others)
› Presumably the first production setup in the world
› In the future CERN may easily burst into various
public and private clouds
15/10/2014 Marek Denis – CERN openlab
First Name and Family Name – CERN openlab 6
Last year in retrospection
15/10/2014
› We started with vague design charts(we only knew SAML2 could be used as an identity transport layer)
› In April OpenStack Icehouse was released.
Key New Features•New v3 API features
•/v3/OS-FEDERATION/ allows Keystone to consume federated authentication via Shibboleth for multiple Identity Providers, and mapping federated attributes into OpenStack group-based role assignments (see documentation).
7
Last year in retrospection
› Keystone client 0.11.1 has all the plugins required for federated
authentication
Getting unscoped tokens from Shibboleth based Identity Providers
Getting unscoped tokens from Microsoft ADFS2.0
Listing available projects and domains for federated user
Scoping unscoped federated tokens
› Openstack client can now utilize federated authentication as well its
configuration (identity providers, mappings, protocols).
› CADF (Cloud Audit Data Format) now take federation-related events into
account15/10/2014 Marek Denis – CERN openlab
8
How to federate your cloud
› Join of create your federation
› Exchange SPs and IdPs metadata
› Configure Apache webserver and
Shibboleth Service Provider
› Prepare local projects, domains, groups› Via the Identity API version 3 cloud
administrator must configure: Trusted Identity Providers Mappings Protocols
15/10/2014 Marek Denis – CERN openlab
9
Federation in Openstack – a big picture
15/10/2014 Marek Denis – CERN openlab
Credits Luca Tartarini
10
Transforming assertion into local credentials
15/10/2014 Marek Denis – CERN openlab
LOGIN: madenisLANGUAGE: ENDEPARTMENT: IT/OISFULLNAME: Marek Denis
Saml Assertion
Keystonecredentials
{name: madenisgroups: [ “developers”, “openlab”]}
[ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "ADFS_LOGIN" } ] }, { "local": [ { "group": { "id": „devs" } } ], "remote": [ { "type":"DEPARTMENT", "any_one_of": ["IT/OIS"] } ] } ]
11
It’s video time
› Before we take off
Local user tim Local groups: managers, developers,
contractors Local projects: manager, developer, contractor Tim is a member of all the groups (hence he can
access any of the 3 projects) No local user madenis
15/10/2014 Marek Denis – CERN openlab
12
It’s video time
› Identity Provider: cern› Mapping: cern› Protocol: saml2
› Federated user will have my CERN login: madenis
› He will have access to developer project only
15/10/2014 Marek Denis – CERN openlab
13
› The answer is: almost
› We CAN share identities between clouds
› We need to build virtual inter-cloud networks
› We need share images between clouds
› We need inter-cloud metering
Cloud federation – are we there yet?
15/10/2014 Marek Denis – CERN openlab
14
What next?
› Last release we were working on another functionality
(codename Keystone2Keyston)
› Enhance clients with smarter token handling and token reuse
› Test scalable solutions
› Work on everything that is not possible yet (and was listed on
the previous slide)
15/10/2014 Marek Denis – CERN openlab