Cloud federation Are we there yet?

Marek Denis

CERN openlab Major Review

Geneva, Switzerland

› October 15-16 2014

2

Rackspace and CERN openlab

› Rackspace joined CERN openlab last year

› The project officially kicked off on October 1st 2013.

› We are contributing directly to the OpenStack

› …and received good feedback about the importance of the topic we are working on

15/10/2014 Marek Denis – CERN openlab

3

Cloud federation

“A federated cloud (also called cloud federation) is the deployment and management of multiple external and internal cloud computing  services to match business needs.  A federation is the union of several smaller parts that perform a common action.”

http://whatis.techtarget.com/definition/federated-cloud-cloud-federation

15/10/2014 Marek Denis– CERN openlab

4

Bringing old concepts into cutting edge technology

› First steps towards hybrid clouds

(Holy Grail of cloud computing)

› Federation allows for splitting authentication

and authorization

Security

Ease of configuration

Centralized Identity management

15/10/2014 Marek Denis– CERN openlab

5

How does CERN use it?

› CERN to join EduGAIN federation at the beginning

of the 2015 (allowing CERN to share cloud resources with others)

› Presumably the first production setup in the world

› In the future CERN may easily burst into various

public and private clouds

15/10/2014 Marek Denis – CERN openlab

First Name and Family Name – CERN openlab 6

Last year in retrospection

15/10/2014

› We started with vague design charts(we only knew SAML2 could be used as an identity transport layer)

› In April OpenStack Icehouse was released.

Key New Features•New v3 API features

•/v3/OS-FEDERATION/ allows Keystone to consume federated authentication via Shibboleth for multiple Identity Providers, and mapping federated attributes into OpenStack group-based role assignments (see documentation).

7

Last year in retrospection

› Keystone client 0.11.1 has all the plugins required for federated

authentication

Getting unscoped tokens from Shibboleth based Identity Providers

Getting unscoped tokens from Microsoft ADFS2.0

Listing available projects and domains for federated user

Scoping unscoped federated tokens

› Openstack client can now utilize federated authentication as well its

configuration (identity providers, mappings, protocols).

› CADF (Cloud Audit Data Format) now take federation-related events into

account15/10/2014 Marek Denis – CERN openlab

8

How to federate your cloud

› Join of create your federation

› Exchange SPs and IdPs metadata

› Configure Apache webserver and

Shibboleth Service Provider

› Prepare local projects, domains, groups› Via the Identity API version 3 cloud

administrator must configure: Trusted Identity Providers Mappings Protocols

15/10/2014 Marek Denis – CERN openlab

9

Federation in Openstack – a big picture

15/10/2014 Marek Denis – CERN openlab

Credits Luca Tartarini

10

Transforming assertion into local credentials

15/10/2014 Marek Denis – CERN openlab

LOGIN: madenisLANGUAGE: ENDEPARTMENT: IT/OISFULLNAME: Marek Denis

       

Saml Assertion

 

Keystonecredentials

{name: madenisgroups: [ “developers”, “openlab”]}

[ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "ADFS_LOGIN" } ] }, { "local": [ { "group": { "id": „devs" } } ], "remote": [ { "type":"DEPARTMENT", "any_one_of": ["IT/OIS"] } ] } ]

11

It’s video time

› Before we take off

Local user tim Local groups: managers, developers,

contractors Local projects: manager, developer, contractor Tim is a member of all the groups (hence he can

access any of the 3 projects) No local user madenis

15/10/2014 Marek Denis – CERN openlab

12

It’s video time

› Identity Provider: cern› Mapping: cern› Protocol: saml2

› Federated user will have my CERN login: madenis

› He will have access to developer project only

15/10/2014 Marek Denis – CERN openlab

13

› The answer is: almost

› We CAN share identities between clouds

› We need to build virtual inter-cloud networks

› We need share images between clouds

› We need inter-cloud metering

Cloud federation – are we there yet?

15/10/2014 Marek Denis – CERN openlab

14

What next?

› Last release we were working on another functionality

(codename Keystone2Keyston)

› Enhance clients with smarter token handling and token reuse

› Test scalable solutions

› Work on everything that is not possible yet (and was listed on

the previous slide)

15/10/2014 Marek Denis – CERN openlab

15

Thank you

Marek Denis

marek.denis@cern.ch

15/10/2014 Marek Denis – CERN openlab