moonshot-enabled federated access to cloud infrastructure
DESCRIPTION
Managing cloud infrastructure across many organisations can be complex. One area of complexity is in the management of identities. These include identities of people who build and provision cloud infrastructure, as well as the end consumers of the services running on it. Eduserv is building a cloud for the UK education community. This session shows how we are tackling the problems of identity provision to cloud infrastructure using federated login. Our approach uses traditional SAML login to a web-based console to manage infrastructure, as well as Moonshot-enabled login to infrastructure. This means we can achieve end-to-end management of cloud infrastructure from provisioning right through to access to services, using solely federated credentials. The result is the ability to rapidly scale infrastructure, while knowing that the right people can seamlessly gain access to it. The session discusses our experiences of building and managing clouds using VMWare vCloud, as well as how we are using Mooshot now, and its potential for the future.TRANSCRIPT
Moonshot-enabled Federated Access to Cloud Infrastructure Terena Networking Conference, Reykjavik.May 2012
David Orrell, Eduserv
Objectives
Enable end-to-end federated access to cloud infrastructure.Ease the management of cloud infrastructure.Path to federated cloud platform services.o Federated access by default.
Eduserv
Not for profit IT services companyo Based in Bath, UK.o 115 staff.o New datacentre.
Key business areaso IAM software and services.o Web hosting and development for government.
Charitable mission to encourage the effective use of ICT in ‘public good’ organisations.
Eduserv cloud platform
Infrastructure as a Service (IaaS) for UK Education community
o Currently offered as a beta service
Infrastructure to support existing products and services
Eduserv Education Cloud: HardwareCisco UCS blade infrastructure
o Dual 6-core 3.06GHz processors with 64GB RAM.o Initial deployment will scale to >1,500 cores, 8 TB of RAM.
Isilon storageo Clustered NAS solution with near-SAN performance.o Initial deployment will scale to 10 PB usable.
Connectivityo 2-tier Cisco switched network (core and distribution).o Fully resilient with no single point of failure
(including dual path to JANET PoP).o All ports running at 10 Gbit/s.
Eduserv Education Cloud: SoftwareVMWare vCloud Compute
o Good fit with vSphere provision.o Provides burst capacity at times of high demand.
File/object storage
vCloud Directoro vCloud REST APIs.
Eduserv Cloud Portalo Billing, usage etc.
Virtual Organisation
vCloud Architecture
Virtual Datacentre (vDC)
vApp
vApp
vApp
Virtual Datacentre (vDC)
vApp
vApp
vApp
CatalogvApp Template
vApp Template
ISO media
Network
NetworkUsers + groups
Public Catalog
vApp Template
vApp Template
ISO media
vApps
Package of multiple VMs (as an OVF).How VMs connect to the network(s).Boot sequence.vApp networkso NATed, firewalled.o May be fenced.
vAppVM VM VM VM
Network
Virtual Organisation
vCloud Director Eduserv Education Cloud Web Portal
vCloud API
Federated SSO via UKAMF
…Virtual Organisation Virtual Organisation
3rd party applications
Moonshot
JANET-led project.
Federated access to any application.
Builds on eduroam technologieso RADIUS for federated authentication.o EAP for mutual authentication.
Integrates with standard OS security APIso GSS-API (RFC 2078 – Other OS).o SASL (RFC 4422 – Windows + Other OS).o SSPI (Windows).
11
SSH client SSH server RADIUS server
(2) SSH negotiation (4) RADIUS
(3) Authentication
(1) Credentialing
(5) Attributes(6) SSH session
OpenSSH used as example of application; many others also apply
SSH using Moonshot
Moonshot on Education Cloud
Deploy Moonshot-ready appliances.Linux server as an example
o CentOS 6.2.oMoonshot-enabled SSHD.
Moonshot on Education Cloud
Automatic allocation of ‘local’ Linux users.NSS module
o Automatic user/group allocation.PAM module
o Auditing.moonbind daemon.
vApp
VM
PAM module
NSS module
moonbind
Education Cloud Portal
User/group allocation
SSHD RADIUSserver
SAML
user + group(s)
Virtual Organisation
Education Cloud Portal
Guest customisation
vApp Instantiation
vApp
VM VM VM VM
CatalogvApp Template
vApp Template
ISO media
Network configurationCustom script(s)Configure moonbind
Future work
Proper authorisation.Integration with vApp OVF descriptor.Integration with file/object storage
o Via WebDAV.
Windows/ExchangePaaS
o Cloud Foundry.
www.eduserv.org.uk @[email protected]
Thanks to…
Eduserv colleaguesAndy Powell, Richard Annett, Charlie Llewellyn, Tim Lawrence
JANET
Education Cloud blog + further information
http://support.cloud.eduserv.org.uk