Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone...
Transcript of Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone...
![Page 1: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/1.jpg)
Adding FIM to Openstack
David Chadwick
University of Kent
![Page 2: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/2.jpg)
Contents
• How OpenStack works
• Our first FIM implementation
• Our second FIM implementation
• The official OpenStack release (scheduled for
April 2014) – still tentative
![Page 3: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/3.jpg)
Authentication in OpenStack
Open Stack Summit, Portland,
18/04/20133
Trust
Relationship
Swift/Glance etc.
Keystone
User
![Page 4: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/4.jpg)
Authorisation in OpenStack
• Keystone token contains user’s ID and roles
• Services then use either user’s roles and RBAC to
grant access to resources, or user’s ID and DAC
• In order to add FIM to OpenStack we do not need
to change any of the OpenStack services provided
Keystone still returns the same token as in the
non-federated case
– Services will be ignorant of federation
![Page 5: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/5.jpg)
Pipeline
Middleware Components
/tokens
/users
/…
Authn
List the
users
…
RouterService Modules
Request
Response
Keystone
Keystone Internal Architecture
![Page 6: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/6.jpg)
Keystone Authn Module
• Keystone’s authentication module supports multiple authn methods, each as plugins.
• Password and External are provided as core components. Users can also define their own
• Password uses backend LDAP to authenticate user
• External is for when Keystone is run in Apache HTTP Server (using mod_wsgi) and it passes the authenticated username to Keystone using the REMOTE_USER environment variable
![Page 7: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/7.jpg)
Kent’s Initial Implementation -
Protocol Independent Pipeline Plugin
• Chosen because easiest for admins to add FIM – only need to change Keystone config file. No code changes needed
• FIM Plugin has three protocol dependent methods
– Get IdP Request – get protocol specific request message to be sent to IdP
– [ Negotiate Parameters – optional for those protocols that need it such as ABFAB ]
– Validate IdP Response – protocol specific way of validating IdP’s response
• Common output at the end
Open Stack Summit, Portland,
18/04/20137
![Page 8: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/8.jpg)
FIM Protocol Output
• Federation wide Unique ID of end user
• Set of {Set of user identity attributes and
name of IdP that asserted them}
– Caters for future attribute aggregation
• Validity time of asserted identity
Open Stack Summit, Portland,
18/04/20138
![Page 9: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/9.jpg)
ABFAB – SAML EAP Profile
Picture courtesy
of BeSTGRID
University of
Auckland, NZ
![Page 10: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/10.jpg)
Federated Authentication
Open Stack Summit, Portland,
18/04/2013. 10
-F
Modified Client Software
Keystone Pipeline
Protocol Independent
Federation Handling
![Page 11: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/11.jpg)
Trust in IdPs
Open Stack Summit, Portland,
18/04/201311
Keystone Admin
Service Catalog
Swift………..
Nova………..
IdP1 <type> <protocol specific metadata>
Uni Kent <SAML> <X.509 certificate>
Etc.
If an IdP is not in the Service
Catalog it cannot be seen or
used by the user
![Page 12: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/12.jpg)
Trust in IdP’s Attributes
• A table stores list of attributes (types and
optional values) that each IdP is trusted to
issue
• If asserted attributes are not in this table, they
are thrown away by the protocol independent
code
![Page 13: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/13.jpg)
Gory Details
• X-Authentication-Type: federated header only
• Performs Discovery. Returns list of IdPs from Service Catalog to client
• Header plus Body contains a JSON array with the chosen IdPin “idpRequest” element
• Call protocol specific module ‘Get IdP Request’ method and return to client
• Header plus Body contains JSON array with “idpNegotiation” element
• Call protocol specific module ‘Negotiate Parameters’ method and return to client
• Header plus Body contains a JSON array with an "idpResponse" element
• Call protocol specific module ‘Validate IdP Response’ method
Open Stack Summit, Portland,
18/04/201313.
![Page 14: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/14.jpg)
Magic 1 Auto Provisioning
Open Stack Summit, Portland,
18/04/201314
Keystone Database
Temporary User Entry
![Page 15: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/15.jpg)
Magic 2 - Attribute Mapping
Open Stack Summit, Portland,
18/04/2013. 15
IdP asserted identity
(set of trusted identity
attributes)OpenStack recognised identity
(roles, projects, domains)
Converts it
into
Converts it
into
![Page 16: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/16.jpg)
Summary of Key Features• Modular Design
• Most functionality is provided by protocol independent code we have added to Keystone’s pipeline– Adding/Retrieving IdPs to enhanced Service Catalog
– Attribute Issuing Policy creation and enforcement - says which IdPs are trusted to issue which identity attributes to users
– Creating and removing temporary user entries in Keystone
– Attribute Mapper from IdP issued identity attributes into Keystone roles, projects and domains
– Delegating permissions to IdP administrators to set up the attribute mappings and attribute issuing policies
• One plug-in module needed that handles the Protocol Specific features of federated login– IdP Request preparation
– idP Protocol negotiation (optional)
– IdP Response verification
• Obviously clients have to be tailored to support federated loginOpen Stack Summit, Portland,
18/04/2013. 16
![Page 17: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/17.jpg)
Second Implementation – A new
Federated Authn Method• Took first implementation to Keystone developers for
comment.
• They suggested we create a new Authn method, which they would integrate into a future release– So we moved the pipeline code to be a new Authn method
called Federated
– Produces a cleaner implementation. Does not need X-Fed header
• They said mods they were currently working on would not require us to keep creating temporary Keystone entries, as tokens could be issued for external users not in Keystone’s database– So we removed this code
![Page 18: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/18.jpg)
Federated Authn Module Validation
• Four working implementations:
• SAML plugin based on pySAML – now an operational service in Brazilian academic network
• Keystone plugin – for federating multiple OpenStack/ Keystone installations together
• ABFAB plugin based on Moonshot software
• OpenID Connect plugin (written by PhD student in Brazil)
![Page 19: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/19.jpg)
Planned OpenStack April Release
• Keystone core developers decided to do a first quick fix for SAML only using Apache and mod_shib, and modifying the External authn method to pick up Remote_User and user’s attributes as environmental parameters
• Will use the attribute mapping functionality from Kent’s design/implementation to obtain the OpenStackroles and domains
• This week the core Keystone coders are meeting in Texas for a “hackathon” to get something working in time for the April release (codenamed Ice House)
![Page 20: Adding FIM to OpenstackOGF - UM FIM to Openstack.pdf · Authorisation in OpenStack • Keystone token contains user’s ID and roles • Services then use either user’s roles and](https://reader036.fdocumentos.com/reader036/viewer/2022071102/5fdbce5854d5774cc944ffb2/html5/thumbnails/20.jpg)
What’s Next?
• We no longer need the Federated Authn protocol independent module if the trust management code is moved up to the Authn level to cater for all Authn methods including External
• Thus our protocol dependent modules can become Authn methods in their own right
• We have just written a SAML ECP module for command line clients that can’t use Apache
• Next we need to work on support for VOs and Communities of Interest from ABFAB