SlideShare una empresa de Scribd logo

Cloudproject

Descargar como PPTX, PDF
A
anushv24
Tecnología
1 de 8
By- Anush V Meghana Prashanth Pramod Ramesh Ashwin Sethi
Introduction  Openstack is an open source cloud service implementation  Keystone is the security module of Openstack  Current authorization system implemented in keystone is single-tenant  Multi-tenancy support is defined as the capability of a single software instance to provide its service to several parties simultaneously  Our objective is to convert this single tenant system into a multi-tenant one
 Current implementations of authorization is based on a 3 tuple implementation namely (Subject, Privilege, Object)  This needs to be changed to incorporate multi-tenancy  The basic multi-tenant system would have a structure in the form of a 5 tuple namely (Issuer, Subject, Privilege, Interface, Object)  This implementation though useful is not enough  We try to use a RBAC incorporated implementation  This new model which has RBAC changes the 5 tuple to (Issuer, role(Issuer, RoleName), Privilege, Interface, Object)
(IssuerA, role(IssuerB, users), Read, ServiceA.1, root) is interpreted as IssuerA grants anybody with role(IssuerB, users) Read access to the root folder of the file system provided by ServiceA.1.
Keystone Layout  Keystone directories were found in the following locations  /opt/stack  This contained all the necessary python modules to keep keystone running including the policy engine  /var/lib  This contained the keystone.db file used to initialise the backend  /usr/share  This contained shell files to automatically crate new users in opentack  /etc  This contained the keystone.conf file and the default catalog templates file
Policy Trace  Once an access is made to any protected resource the authorization entry point is in rules.py  enforce()  common.policy.enforce()  Brain.check()  _check()  _check_rule() or _check_role() or _check_service() or _check_generic() depending on the match in the rules dictionary.  These functions recursively call Brain.check() to help matches nesting of rules appropriately.
Our Implementation  To implement the 5 tuple we add the following to the current implementation  The Service as a part of both the cred_dict and rules_dict  The role is now a 2 tuple mapping between issuer and name of the role, again this is added to both cred_dict and rules_dict  New function called _check_service is implemented  Access is allowed only if all the elements in the match_list match that of the cred_dict
Thank You

Recomendados

Security
SecuritySecurity
Security
naniix21_3
 
Elastic search
Elastic searchElastic search
Elastic search
Vinaykumar Hebballi
 
Servlet 03
Servlet 03Servlet 03
Servlet 03
Bharat777
 
Servlet session 9
Servlet session 9Servlet session 9
Servlet session 9
Anuj Singh Rajput
 
Servlet session 6
Servlet session 6Servlet session 6
Servlet session 6
Anuj Singh Rajput
 
System settings api
System settings apiSystem settings api
System settings api
htyson
 
Dagger1
Dagger1Dagger1
Dagger1
Ramesh Akula
 
Multiprocessing.pptx
Multiprocessing.pptxMultiprocessing.pptx
Multiprocessing.pptx
MaheshGour5
 

Recomendados

Security
SecuritySecurity
Security
naniix21_3
 
Elastic search
Elastic searchElastic search
Elastic search
Vinaykumar Hebballi
 
Servlet 03
Servlet 03Servlet 03
Servlet 03
Bharat777
 
Servlet session 9
Servlet session 9Servlet session 9
Servlet session 9
Anuj Singh Rajput
 
Servlet session 6
Servlet session 6Servlet session 6
Servlet session 6
Anuj Singh Rajput
 
System settings api
System settings apiSystem settings api
System settings api
htyson
 
Dagger1
Dagger1Dagger1
Dagger1
Ramesh Akula
 
Multiprocessing.pptx
Multiprocessing.pptxMultiprocessing.pptx
Multiprocessing.pptx
MaheshGour5
 
Qtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skillQtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skill
siva1991
 
Enabling Security For ActiveMQ JMX Access
Enabling Security For ActiveMQ JMX AccessEnabling Security For ActiveMQ JMX Access
Enabling Security For ActiveMQ JMX Access
Ramakrishna Narkedamilli
 
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Lucidworks
 
Database connectivity in asp.net
Database connectivity in asp.netDatabase connectivity in asp.net
Database connectivity in asp.net
baabtra.com - No. 1 supplier of quality freshers
 
ASP.NET- database connectivity
ASP.NET- database connectivityASP.NET- database connectivity
ASP.NET- database connectivity
baabtra.com - No. 1 supplier of quality freshers
 
ASP.NET Session 11 12
ASP.NET Session 11 12ASP.NET Session 11 12
ASP.NET Session 11 12
Sisir Ghosh
 
T-SQL & Triggers
T-SQL & TriggersT-SQL & Triggers
T-SQL & Triggers
Ayesha Maqsood
 
iOS training (advanced)
iOS training (advanced)iOS training (advanced)
iOS training (advanced)
Gurpreet Singh Sachdeva
 
OpenStack London Meetup, 18 Nov 2015
OpenStack London Meetup, 18 Nov 2015OpenStack London Meetup, 18 Nov 2015
OpenStack London Meetup, 18 Nov 2015
Jesse Pretorius
 
Etiqueta de jabon "JC"
Etiqueta de jabon "JC"Etiqueta de jabon "JC"
Etiqueta de jabon "JC"
Hanzo Hasashi
 
A Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process ExecutionsA Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process Executions
Srinath Perera
 
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EEJavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
Rodrigo Cândido da Silva
 
Multi-tenancy in the cloud
Multi-tenancy in the cloudMulti-tenancy in the cloud
Multi-tenancy in the cloud
Inphina Technologies
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
Stormpath
 
Multi Tenancy In The Cloud
Multi Tenancy In The CloudMulti Tenancy In The Cloud
Multi Tenancy In The Cloud
rohit_ainapure
 
Pas3 Tenancy Design Patterns (Predix Transform 2016)
Pas3 Tenancy Design Patterns (Predix Transform 2016)Pas3 Tenancy Design Patterns (Predix Transform 2016)
Pas3 Tenancy Design Patterns (Predix Transform 2016)
ferminordaz
 
Multi-Tenant Approach
Multi-Tenant ApproachMulti-Tenant Approach
Multi-Tenant Approach
Perfectial, LLC
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
As34269277
As34269277As34269277
As34269277
IJERA Editor
 
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docxCSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
faithxdunce63732
 
OmniBase Object Database
OmniBase Object DatabaseOmniBase Object Database
OmniBase Object Database
ESUG
 

Más contenido relacionado

La actualidad más candente

Qtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skillQtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skill
siva1991
 
ASP.NET Session 11 12
ASP.NET Session 11 12ASP.NET Session 11 12
ASP.NET Session 11 12
Sisir Ghosh
 

La actualidad más candente (8)

Qtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skillQtp connect to an oracle database database - database skill
Qtp connect to an oracle database database - database skill
 
Enabling Security For ActiveMQ JMX Access
Enabling Security For ActiveMQ JMX AccessEnabling Security For ActiveMQ JMX Access
Enabling Security For ActiveMQ JMX Access
 
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
Optimize Is (Not) Bad For You - Rafał Kuć, Sematext Group, Inc.
 
Database connectivity in asp.net
Database connectivity in asp.netDatabase connectivity in asp.net
Database connectivity in asp.net
 
ASP.NET- database connectivity
ASP.NET- database connectivityASP.NET- database connectivity
ASP.NET- database connectivity
 
ASP.NET Session 11 12
ASP.NET Session 11 12ASP.NET Session 11 12
ASP.NET Session 11 12
 
T-SQL & Triggers
T-SQL & TriggersT-SQL & Triggers
T-SQL & Triggers
 
iOS training (advanced)
iOS training (advanced)iOS training (advanced)
iOS training (advanced)
 

Destacado

A Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process ExecutionsA Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process Executions
Srinath Perera
 
Multi-tenancy in the cloud
Multi-tenancy in the cloudMulti-tenancy in the cloud
Multi-tenancy in the cloud
Inphina Technologies
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
Stormpath
 

Destacado (9)

OpenStack London Meetup, 18 Nov 2015
OpenStack London Meetup, 18 Nov 2015OpenStack London Meetup, 18 Nov 2015
OpenStack London Meetup, 18 Nov 2015
 
Etiqueta de jabon "JC"
Etiqueta de jabon "JC"Etiqueta de jabon "JC"
Etiqueta de jabon "JC"
 
A Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process ExecutionsA Multi-tenant Architecture for Business Process Executions
A Multi-tenant Architecture for Business Process Executions
 
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EEJavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
JavaOne 2014 - Supporting Multi-tenancy Applications with Java EE
 
Multi-tenancy in the cloud
Multi-tenancy in the cloudMulti-tenancy in the cloud
Multi-tenancy in the cloud
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
 
Multi Tenancy In The Cloud
Multi Tenancy In The CloudMulti Tenancy In The Cloud
Multi Tenancy In The Cloud
 
Pas3 Tenancy Design Patterns (Predix Transform 2016)
Pas3 Tenancy Design Patterns (Predix Transform 2016)Pas3 Tenancy Design Patterns (Predix Transform 2016)
Pas3 Tenancy Design Patterns (Predix Transform 2016)
 
Multi-Tenant Approach
Multi-Tenant ApproachMulti-Tenant Approach
Multi-Tenant Approach
 

Similar a Cloudproject

CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docxCSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
faithxdunce63732
 
Introduction to Java Enterprise Edition
Introduction to Java Enterprise EditionIntroduction to Java Enterprise Edition
Introduction to Java Enterprise Edition
Abdalla Mahmoud
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
Zayar Shwe
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
OpenStack
 
A GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSA GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKS
Weaveworks
 
Nt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language AnalysisNt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language Analysis
Nicole Gomez
 
A General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
A General Purpose Extensible Scanning Query Architecture for Ad Hoc AnalyticsA General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
A General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
Flurry, Inc.
 

Similar a Cloudproject (20)

OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
As34269277
As34269277As34269277
As34269277
 
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docxCSE681 – Software Modeling and Analysis Fall 2013 Project .docx
CSE681 – Software Modeling and Analysis Fall 2013 Project .docx
 
OmniBase Object Database
OmniBase Object DatabaseOmniBase Object Database
OmniBase Object Database
 
Introduction to Java Enterprise Edition
Introduction to Java Enterprise EditionIntroduction to Java Enterprise Edition
Introduction to Java Enterprise Edition
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
 
SCWCD : The servlet container : CHAP : 4
SCWCD : The servlet container : CHAP : 4SCWCD : The servlet container : CHAP : 4
SCWCD : The servlet container : CHAP : 4
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
 
Osonto documentatie
Osonto documentatieOsonto documentatie
Osonto documentatie
 
Winning the Lottery with Spring: A Microservices Case Study for the Dutch Lot...
Winning the Lottery with Spring: A Microservices Case Study for the Dutch Lot...Winning the Lottery with Spring: A Microservices Case Study for the Dutch Lot...
Winning the Lottery with Spring: A Microservices Case Study for the Dutch Lot...
 
Drupal 8 meets to symphony
Drupal 8 meets to symphonyDrupal 8 meets to symphony
Drupal 8 meets to symphony
 
I0935053
I0935053I0935053
I0935053
 
A GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKSA GitOps model for High Availability and Disaster Recovery on EKS
A GitOps model for High Availability and Disaster Recovery on EKS
 
Apache Eagle in Action
Apache Eagle in ActionApache Eagle in Action
Apache Eagle in Action
 
Architectural patterns part 4
Architectural patterns part 4Architectural patterns part 4
Architectural patterns part 4
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Nt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language AnalysisNt1310 Unit 3 Language Analysis
Nt1310 Unit 3 Language Analysis
 
A General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
A General Purpose Extensible Scanning Query Architecture for Ad Hoc AnalyticsA General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
A General Purpose Extensible Scanning Query Architecture for Ad Hoc Analytics
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Cloudproject

  • 1. By- Anush V Meghana Prashanth Pramod Ramesh Ashwin Sethi
  • 2. Introduction  Openstack is an open source cloud service implementation  Keystone is the security module of Openstack  Current authorization system implemented in keystone is single-tenant  Multi-tenancy support is defined as the capability of a single software instance to provide its service to several parties simultaneously  Our objective is to convert this single tenant system into a multi-tenant one
  • 3. Current implementations of authorization is based on a 3 tuple implementation namely (Subject, Privilege, Object)  This needs to be changed to incorporate multi-tenancy  The basic multi-tenant system would have a structure in the form of a 5 tuple namely (Issuer, Subject, Privilege, Interface, Object)  This implementation though useful is not enough  We try to use a RBAC incorporated implementation  This new model which has RBAC changes the 5 tuple to (Issuer, role(Issuer, RoleName), Privilege, Interface, Object)
  • 4. (IssuerA, role(IssuerB, users), Read, ServiceA.1, root) is interpreted as IssuerA grants anybody with role(IssuerB, users) Read access to the root folder of the file system provided by ServiceA.1.
  • 5. Keystone Layout  Keystone directories were found in the following locations  /opt/stack  This contained all the necessary python modules to keep keystone running including the policy engine  /var/lib  This contained the keystone.db file used to initialise the backend  /usr/share  This contained shell files to automatically crate new users in opentack  /etc  This contained the keystone.conf file and the default catalog templates file
  • 6. Policy Trace  Once an access is made to any protected resource the authorization entry point is in rules.py  enforce()  common.policy.enforce()  Brain.check()  _check()  _check_rule() or _check_role() or _check_service() or _check_generic() depending on the match in the rules dictionary.  These functions recursively call Brain.check() to help matches nesting of rules appropriately.
  • 7. Our Implementation  To implement the 5 tuple we add the following to the current implementation  The Service as a part of both the cred_dict and rules_dict  The role is now a 2 tuple mapping between issuer and name of the role, again this is added to both cred_dict and rules_dict  New function called _check_service is implemented  Access is allowed only if all the elements in the match_list match that of the cred_dict