Managing cloud infrastructure across many organisations can be complex. One area of complexity is in the management of identities. These include identities of people who build and provision cloud infrastructure, as well as the end consumers of the services running on it. Eduserv is building a cloud for the UK education community. This session shows how we are tackling the problems of identity provision to cloud infrastructure using federated login. Our approach uses traditional SAML login to a web-based console to manage infrastructure, as well as Moonshot-enabled login to infrastructure. This means we can achieve end-to-end management of cloud infrastructure from provisioning right through to access to services, using solely federated credentials. The result is the ability to rapidly scale infrastructure, while knowing that the right people can seamlessly gain access to it. The session discusses our experiences of building and managing clouds using VMWare vCloud, as well as how we are using Mooshot now, and its potential for the future.

1. Moonshot-enabled Federated
Access to Cloud Infrastructure
Terena Networking Conference, Reykjavik.
May 2012
David Orrell, Eduserv

2. Objectives
Enable end-to-end federated access to cloud
infrastructure.
Ease the management of cloud infrastructure.
Path to federated cloud platform services.
o Federated access by default.

3. Eduserv
Not for profit IT services company
o Based in Bath, UK.
o 115 staff.
o New datacentre.
Key business areas
o IAM software and services.
o Web hosting and development for government.
Charitable mission to encourage the effective use of ICT in
‘public good’ organisations.

4. Eduserv cloud platform
Infrastructure as a Service (IaaS) for UK Education
community
o Currently offered as a beta service
Infrastructure to support existing products and
services

5. Eduserv Education Cloud: Hardware
Cisco UCS blade infrastructure
o Dual 6-core 3.06GHz processors with 64GB RAM.
o Initial deployment will scale to >1,500 cores, 8 TB of RAM.
Isilon storage
o Clustered NAS solution with near-SAN performance.
o Initial deployment will scale to 10 PB usable.
Connectivity
o 2-tier Cisco switched network (core and distribution).
o Fully resilient with no single point of failure
(including dual path to JANET PoP).
o All ports running at 10 Gbit/s.

6. Eduserv Education Cloud: Software
VMWare vCloud Compute
o Good fit with vSphere provision.
o Provides burst capacity at times of high demand.
File/object storage
vCloud Director
o vCloud REST APIs.
Eduserv Cloud Portal
o Billing, usage etc.

7. vCloud Architecture
Virtual Organisation
Virtual Datacentre Virtual Datacentre Catalog Public Catalog
(vDC) (vDC)
vApp Template vApp Template
vApp vApp vApp vApp vApp vApp
vApp Template vApp Template
ISO media ISO media
Network
Users +
Network groups

8. vApps
Package of multiple VMs (as an OVF).
How VMs connect to the network(s).
Boot sequence.
vApp networks vApp
o NATed, firewalled. VM VM VM VM
o May be fenced.
Network

9. Federated SSO via UKAMF
3rd party
applications
Eduserv Education
vCloud Director
Cloud Web Portal
vCloud API
Virtual Organisation Virtual Organisation Virtual Organisation
…

10. Moonshot
JANET-led project.
Federated access to any application.
Builds on eduroam technologies
o RADIUS for federated authentication.
o EAP for mutual authentication.
Integrates with standard OS security APIs
o GSS-API (RFC 2078 – Other OS).
o SASL (RFC 4422 – Windows + Other OS).
o SSPI (Windows).

11. SSH using Moonshot
(1) Credentialing
(6) SSH session (3) Authentication
(5) Attributes
(2) SSH negotiation (4) RADIUS
SSH client SSH server RADIUS
server
OpenSSH used as example of application; many others also apply
11

12. Moonshot on Education Cloud
Deploy Moonshot-ready appliances.
Linux server as an example
o CentOS 6.2.
o Moonshot-enabled SSHD.

13. Moonshot on Education Cloud
Automatic allocation of ‘local’ Linux users.
NSS module
o Automatic user/group allocation.
PAM module
o Auditing.
moonbind daemon.

14. Education Cloud Portal
SAML
vApp User/group
allocation
VM moonbind
PAM NSS
module module
RADIUS
SSHD
server
user +
group(s)

15. vApp Instantiation
Education Cloud Portal
Catalog Network configuration
Custom script(s)
vApp Template
Configure moonbind
vApp Template
ISO media
Guest
customisation Virtual Organisation
vApp
VM VM VM VM

30. Future work
Proper authorisation.
Integration with vApp OVF descriptor.
Integration with file/object storage
o Via WebDAV.
Windows/Exchange
PaaS
o Cloud Foundry.

31. Thanks to…
Eduserv colleagues
Andy Powell, Richard
Annett, Charlie Llewellyn, Tim
Lawrence
JANET
Education Cloud blog + further
information
http://support.cloud.eduserv.org.uk
www.eduserv.org.uk
@eduserv
david.orrell@eduserv.org.uk