SlideShare una empresa de Scribd logo

IdM in Smart Applications on Virtual Infrastructure

Descargar como PPTX, PDF
Mohammad Faraji
Mohammad Faraji
1 de 41
Identity Manager Smart Applications on Virtual Infrastructure Presenter: M. Faraji
Agenda • Introduction • SAVI Identity Manager • Keystone in SAVI • Goals and Contributions • Authorization • RBAC • ABAC • Federation • Authentication • Authorization
SAVI Clearinghouse • Clearinghouse is a system that brokers trust between C&M plane and resources. It is the only component that every entity in SAVI TB fully trusts. • Components • AAA (Authentication, Authorization, Accounting) • Intrusion Detection network • Incident Handling
Identity Manager Tasks • Identity establishment: Distinguishes users • Authentication: verifies identity claim • Authorization: permits user’s request • Accounting: keeps track of usage • Federation: extends resources • Complementary duties • Service Catalog: lists available services • Service Discovery: keeps up with the latest changes
SAVI TB Architecture
Openstack Overview
Keystone • Keystone is the identity Manager in Openstack • It is written in Python
How Keystone works with others
Keystone work flow
SAVI needs Central Keystone REST REST REST REST GraphDB (neo4j) Glance-reg Keystone SAVI TB Monitoring & C&M Resource Measurement Image Service AAA Framework Registry Registry Registry services services REST REST REST REST SOAP REST REST SOAP REST REST M&M M&M nova, Ryu cheetah whale nova, Ryu cheetah whale (OMF) (OMF) swift, swift, glance glance Network VANI Resource Network VANI Resource OpenStack Manager Enhanced Configuration OpenStack Manager Enhanced Configuration Edge Node Cloud Computing Edge Node Other SAVI Core Node Cloud Computing Resources Network Resources Resources
Keystone (January 2011) • Password Authentication • Token Validation • Simple rule based Access control • Middleware to Openstack components
Token Request Authenticated Request for Service Verification Verified Response from the service
Middleware Auth Token EC2 Token Request for SWIFT Keystone Cons • Need network to verify • Keystone becomes chockpoint • Is UUID Random Request
How original Keystone meets SAVI requirements • Authentication + Password-based • Strong authentication • Authorization + Simple Match (either admin or not) • RBAC • ABAC • Accounting • Service Discovery + Simple Service Catalog • Service Information • Service Registry • Federation (OAUTH, OpenID, SAML)
Goals 1. Integration of Keystone with SAVI TB C&M (VANI) 2. Deploying Central Keystone 3. Implementing fine-grained access control 4. Federation with other testbeds
Goal (1): SAVI C&M Integration • Writing middleware to connect SAVI control service to Keystone (Wilson Project) • Writing Client library to enable user to use keystone as identity provider (Griffin Project)
Wilson • A java middleware that connect SAVI in-house developed components to Keystone (cheetah, HW) SAVI Control Service Wilson Keystone (Cheetah) • Now, Cheetah does authorization and authentication through Wilson • https://github.com/savi-dev/wilson
Griffin • Clients can use Griffin to use Keystone as IdM if it is Java • https://github.com/savi-dev/griffin • Tasks: • Authentication & Authorization • TenantManagement • User Management • Service Management
SAVI Control Service Wilson Keystone (Cheetah) Griffin Application or User
Goal (2): Central Keystone • Clean up Keystone source code • Implementing Central Keystone ( devstack Project) • Adding concept of domain to Keystone • Restructure role API calls to be specific to (user, project) or (user, domain) • Offline Token validation • Generalized credentials associated with a user/project combo (ec2, pki, ssh keys, etc) • Bidirectional Authentication
Domain • A group of project • Domains are administratively independent • User can have role in domain or project • Each domain has its own intrusion detection mechanism
Offline Token verfication • PKIS signed Tokens • Cryptographically signed Text • Crypto Message Syntax (SMIME) • Content of “Verify” • Signed with Keystone Private Key • Verified using • Openssl • Public certificate • Can also be verified using HTTP
Token verification Online Verification Offline Verification
Goal (3): Fine-grained Access Control Empty Role Capability RBAC Constraint RBAC ABAC
Empty Role Service Admin Keystone Action 1 Action 2 Action 3 User
Constraint RBAC Admin User Keystone Capability User Action 1 Action 2 Action 3
Capability Grammar Resource: Action:[Policy] • Compute • Get resource • Rule • Object-store • Release resource • rule:admin_rule • Quantum • etc • Role • Identity • role:admin • Glance • General • Control • project_id: %(project_id) • HW • Combination • EC2
Capability example "admin_required": [["role:admin"], ["is_admin:1"]], "identity:get_service": [["rule:admin_required"]], "identity:list_services": [["rule:admin_required"]], "identity:get_endpoint": [["rule:admin_required"]], “compute:create”: [["rule:admin_required"]], “compute:create:attach_network”: [["rule:admin_required"]], “compute_extension:admin_actions:resetNetwork”: [["rule:admin_required"]], “network:get_all_networks”: [["rule:admin_required"]], “network:allocate_for_instance”: [["rule:admin_required"]],
Constraint RBAC • Resources are different • A user may have access to a resource id but not others although they have same type • Actions may be limited • Admins can write stored procedures
Attribute Based Access Control (ABAC) – Attributes Defined • Subject Attributes • Related to a subject (e.g. user, application, process) that defines the identity and characteristics of the subject • E.g. identifier, name, job title, role • Resource Attributes • Associated with a resource (web service, system function, or data) • E.g. Dublin Core metadata elements • Environment Attributes • Describes the operational, technical, or situational environment or context in which the information access occurs • E.g. current date time, current threat level, network security classification
ABAC Policy Formulation 1. S, R, and E are subjects, resources, and environments, respectively; 2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre-defined attributes for subjects, resources, and environments, respectively; 3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for subject s, resource r, and environment e, respectively: ATTR (s ) SA1 SA 2 ... SA K ATTR (r ) RA1 RA2 ... RAM ATTR (e) EA1 EA 2 ... EA N
ABAC in SAVI Researcher SA Edge Node SOAP Msg 1 3 Resources Control Service APIs Web 1 SA 2 RA Access Service Catalog Trust Anchor EA Control (Beacon) SA Policy Attribute Admin. Policy Unit Service & Policy Identity Services Provider
Goal (4): Federation • Aspects • Authentication • Authorization • Federation allows • Different Smart edges users to work together • SAVI serves other testbed users • SAVI researchers use other testbed
Authentication Interoperability Security Assertion Markup Language - SAML Policy Policy Policy Credentials Authentication Attribute Policy Decision Collector Authority Authority Point SAML Authentication Attribute Authorization Assertion Assertion Decision Assertion System Application Policy Enforcement Entity Request Point Source: OASIS SAML Standard
Authorization Interoperability eXtensible Access Control Markup Language – XACML XACML Policy Policy Serve in SAVI XML XML XML XML XACML XACML XACML XACML Federation Layer Virtualization Openflow Switch Firewall • Policy server distributes policy changes to all network elements using XACML 35
SAVI Federation Architecture SAVI Federation Oversight SAVI Core node Trust Anchor (Keystone) Domain Admin Service Accounting User 1 User 2 User 3 SAVI edge (Beacon) node Repository Testbed Identity Providers   Remote  Datacenters 
Other components … • Clearinghouse has two more components • Intrusion Detection Network • Incident Handling module
Intrusion Detection Network Resource Traffic Resource Traffic Agent Agent Policy Policy data data Swarm Intelligence Brain Brain Status , Policy Situational Awareness Sergeant Human Policy Guidance Domain
Incident Types • Malicious code • Disruption of service attacks • Unauthorized use / • Unauthorized access Misuse • Attempted intrusion • Infraction of Policy • Reconnaissance • Illegal activity • System compromise/ • Espionage intrusion • Hoaxes (False • Loss of, theft of or Information) missing assets, data, etc.
Incident Handling
THANKS FOR YOUR PATIENCE

Recomendados

Play with cloud foundry
Play with cloud foundryPlay with cloud foundry
Play with cloud foundry
Peng Wan
 
API Days 2012 - 1 billion SMS through an API !
API Days 2012 - 1 billion SMS through an API !API Days 2012 - 1 billion SMS through an API !
API Days 2012 - 1 billion SMS through an API !
Guilhem Ensuque
 
apiGrove
apiGroveapiGrove
apiGrove
gmthomps
 
Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to Kubernetes
Rakesh Gujjarlapudi
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
CA API Management
 
SWIM MasterClass - Building SWIM B2B web services using Open Standards
SWIM MasterClass - Building SWIM B2B web services using Open StandardsSWIM MasterClass - Building SWIM B2B web services using Open Standards
SWIM MasterClass - Building SWIM B2B web services using Open Standards
Debbie Wilson
 
Rs on Rails 2011
Rs on Rails 2011Rs on Rails 2011
Rs on Rails 2011
Fabio Akita
 
SeqWare on the Cloud: Porting a Genome Center's Infrastructure to Amazon Web ...
SeqWare on the Cloud: Porting a Genome Center's Infrastructure to Amazon Web ...SeqWare on the Cloud: Porting a Genome Center's Infrastructure to Amazon Web ...
SeqWare on the Cloud: Porting a Genome Center's Infrastructure to Amazon Web ...
nimbusinfo
 

Recomendados

Play with cloud foundry
Play with cloud foundryPlay with cloud foundry
Play with cloud foundry
Peng Wan
 
API Days 2012 - 1 billion SMS through an API !
API Days 2012 - 1 billion SMS through an API !API Days 2012 - 1 billion SMS through an API !
API Days 2012 - 1 billion SMS through an API !
Guilhem Ensuque
 
apiGrove
apiGroveapiGrove
apiGrove
gmthomps
 
Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to Kubernetes
Rakesh Gujjarlapudi
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
CA API Management
 
SWIM MasterClass - Building SWIM B2B web services using Open Standards
SWIM MasterClass - Building SWIM B2B web services using Open StandardsSWIM MasterClass - Building SWIM B2B web services using Open Standards
SWIM MasterClass - Building SWIM B2B web services using Open Standards
Debbie Wilson
 
Rs on Rails 2011
Rs on Rails 2011Rs on Rails 2011
Rs on Rails 2011
Fabio Akita
 
SeqWare on the Cloud: Porting a Genome Center's Infrastructure to Amazon Web ...
SeqWare on the Cloud: Porting a Genome Center's Infrastructure to Amazon Web ...SeqWare on the Cloud: Porting a Genome Center's Infrastructure to Amazon Web ...
SeqWare on the Cloud: Porting a Genome Center's Infrastructure to Amazon Web ...
nimbusinfo
 
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
BIOVIA
 
Load Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net ScalerLoad Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net Scaler
Digicomp Academy AG
 
Expendables E-AppStore
Expendables E-AppStoreExpendables E-AppStore
Expendables E-AppStore
lobalint
 
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
Alberto Perdomo
 
Scalability and Availability for Marketing Campaigns
Scalability and Availability for Marketing CampaignsScalability and Availability for Marketing Campaigns
Scalability and Availability for Marketing Campaigns
Amazon Web Services
 
Building a Hybrid Platform as a Service
Building a Hybrid Platform as a ServiceBuilding a Hybrid Platform as a Service
Building a Hybrid Platform as a Service
WSO2
 
Java ee 7 platform developing for the cloud kshitiz saxena
Java ee 7 platform developing for the cloud kshitiz saxenaJava ee 7 platform developing for the cloud kshitiz saxena
Java ee 7 platform developing for the cloud kshitiz saxena
IndicThreads
 
JavaOne 2012 - BOF7955 ­ Avoiding Java EE Application Design Traps to Achieve...
JavaOne 2012 - BOF7955 ­ Avoiding Java EE Application Design Traps to Achieve...JavaOne 2012 - BOF7955 ­ Avoiding Java EE Application Design Traps to Achieve...
JavaOne 2012 - BOF7955 ­ Avoiding Java EE Application Design Traps to Achieve...
Danival Calegari
 
Everything You Need to Know about Diagnostics and Debugging on Microsoft Inte...
Everything You Need to Know about Diagnostics and Debugging on Microsoft Inte...Everything You Need to Know about Diagnostics and Debugging on Microsoft Inte...
Everything You Need to Know about Diagnostics and Debugging on Microsoft Inte...
goodfriday
 
Cloud Computing for Developers and Architects - QCon 2008 Tutorial
Cloud Computing for Developers and Architects - QCon 2008 TutorialCloud Computing for Developers and Architects - QCon 2008 Tutorial
Cloud Computing for Developers and Architects - QCon 2008 Tutorial
Stuart Charlton
 
(ATS4-DEV04) Protocols as RESTful Services and RESTful URL Routing
(ATS4-DEV04) Protocols as RESTful Services and RESTful URL Routing(ATS4-DEV04) Protocols as RESTful Services and RESTful URL Routing
(ATS4-DEV04) Protocols as RESTful Services and RESTful URL Routing
BIOVIA
 
(ATS3-PLAT01) Recent developments in Pipeline Pilot
(ATS3-PLAT01) Recent developments in Pipeline Pilot(ATS3-PLAT01) Recent developments in Pipeline Pilot
(ATS3-PLAT01) Recent developments in Pipeline Pilot
BIOVIA
 
Engage 2013 - Webtrends Streams - Technical
Engage 2013 - Webtrends Streams - TechnicalEngage 2013 - Webtrends Streams - Technical
Engage 2013 - Webtrends Streams - Technical
Webtrends
 
Building Scalable .NET Apps
Building Scalable .NET AppsBuilding Scalable .NET Apps
Building Scalable .NET Apps
Guy Nirpaz
 
High Value Cloud Services
High Value Cloud ServicesHigh Value Cloud Services
High Value Cloud Services
Laura Ventura
 
Cognos Technical Super Session 2012
Cognos Technical Super Session 2012Cognos Technical Super Session 2012
Cognos Technical Super Session 2012
barnaby1502
 
Meandre 2.0 Alpha Preview
Meandre 2.0 Alpha PreviewMeandre 2.0 Alpha Preview
Meandre 2.0 Alpha Preview
Xavier Llorà
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
 
Soaring the Clouds with Meandre
Soaring the Clouds with MeandreSoaring the Clouds with Meandre
Soaring the Clouds with Meandre
Xavier Llorà
 
HBaseCon 2012 | Orchestrating Clusters with Ironfan and Chef - Runa
HBaseCon 2012 | Orchestrating Clusters with Ironfan and Chef - RunaHBaseCon 2012 | Orchestrating Clusters with Ironfan and Chef - Runa
HBaseCon 2012 | Orchestrating Clusters with Ironfan and Chef - Runa
Cloudera, Inc.
 
Identity Manager in Cloud with Openflow Switches
Identity Manager in Cloud with Openflow SwitchesIdentity Manager in Cloud with Openflow Switches
Identity Manager in Cloud with Openflow Switches
Mohammad Faraji
 
CloudStack Collaboration Conference 12; Refactoring cloud stack
CloudStack Collaboration Conference 12; Refactoring cloud stackCloudStack Collaboration Conference 12; Refactoring cloud stack
CloudStack Collaboration Conference 12; Refactoring cloud stack
buildacloud
 

Más contenido relacionado

La actualidad más candente

Load Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net ScalerLoad Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net Scaler
Digicomp Academy AG
 
Expendables E-AppStore
Expendables E-AppStoreExpendables E-AppStore
Expendables E-AppStore
lobalint
 
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
Alberto Perdomo
 
Building a Hybrid Platform as a Service
Building a Hybrid Platform as a ServiceBuilding a Hybrid Platform as a Service
Building a Hybrid Platform as a Service
WSO2
 
Engage 2013 - Webtrends Streams - Technical
Engage 2013 - Webtrends Streams - TechnicalEngage 2013 - Webtrends Streams - Technical
Engage 2013 - Webtrends Streams - Technical
Webtrends
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
 

La actualidad más candente (20)

(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
 
Load Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net ScalerLoad Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net Scaler
 
Expendables E-AppStore
Expendables E-AppStoreExpendables E-AppStore
Expendables E-AppStore
 
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
Squire: A polyglot application combining Neo4j, MongoDB, Ruby and Scala @ FOS...
 
Scalability and Availability for Marketing Campaigns
Scalability and Availability for Marketing CampaignsScalability and Availability for Marketing Campaigns
Scalability and Availability for Marketing Campaigns
 
Building a Hybrid Platform as a Service
Building a Hybrid Platform as a ServiceBuilding a Hybrid Platform as a Service
Building a Hybrid Platform as a Service
 
Java ee 7 platform developing for the cloud kshitiz saxena
Java ee 7 platform developing for the cloud kshitiz saxenaJava ee 7 platform developing for the cloud kshitiz saxena
Java ee 7 platform developing for the cloud kshitiz saxena
 
JavaOne 2012 - BOF7955 ­ Avoiding Java EE Application Design Traps to Achieve...
JavaOne 2012 - BOF7955 ­ Avoiding Java EE Application Design Traps to Achieve...JavaOne 2012 - BOF7955 ­ Avoiding Java EE Application Design Traps to Achieve...
JavaOne 2012 - BOF7955 ­ Avoiding Java EE Application Design Traps to Achieve...
 
Everything You Need to Know about Diagnostics and Debugging on Microsoft Inte...
Everything You Need to Know about Diagnostics and Debugging on Microsoft Inte...Everything You Need to Know about Diagnostics and Debugging on Microsoft Inte...
Everything You Need to Know about Diagnostics and Debugging on Microsoft Inte...
 
Cloud Computing for Developers and Architects - QCon 2008 Tutorial
Cloud Computing for Developers and Architects - QCon 2008 TutorialCloud Computing for Developers and Architects - QCon 2008 Tutorial
Cloud Computing for Developers and Architects - QCon 2008 Tutorial
 
(ATS4-DEV04) Protocols as RESTful Services and RESTful URL Routing
(ATS4-DEV04) Protocols as RESTful Services and RESTful URL Routing(ATS4-DEV04) Protocols as RESTful Services and RESTful URL Routing
(ATS4-DEV04) Protocols as RESTful Services and RESTful URL Routing
 
(ATS3-PLAT01) Recent developments in Pipeline Pilot
(ATS3-PLAT01) Recent developments in Pipeline Pilot(ATS3-PLAT01) Recent developments in Pipeline Pilot
(ATS3-PLAT01) Recent developments in Pipeline Pilot
 
Engage 2013 - Webtrends Streams - Technical
Engage 2013 - Webtrends Streams - TechnicalEngage 2013 - Webtrends Streams - Technical
Engage 2013 - Webtrends Streams - Technical
 
Building Scalable .NET Apps
Building Scalable .NET AppsBuilding Scalable .NET Apps
Building Scalable .NET Apps
 
High Value Cloud Services
High Value Cloud ServicesHigh Value Cloud Services
High Value Cloud Services
 
Cognos Technical Super Session 2012
Cognos Technical Super Session 2012Cognos Technical Super Session 2012
Cognos Technical Super Session 2012
 
Meandre 2.0 Alpha Preview
Meandre 2.0 Alpha PreviewMeandre 2.0 Alpha Preview
Meandre 2.0 Alpha Preview
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Soaring the Clouds with Meandre
Soaring the Clouds with MeandreSoaring the Clouds with Meandre
Soaring the Clouds with Meandre
 
HBaseCon 2012 | Orchestrating Clusters with Ironfan and Chef - Runa
HBaseCon 2012 | Orchestrating Clusters with Ironfan and Chef - RunaHBaseCon 2012 | Orchestrating Clusters with Ironfan and Chef - Runa
HBaseCon 2012 | Orchestrating Clusters with Ironfan and Chef - Runa
 

Similar a IdM in Smart Applications on Virtual Infrastructure

Identity Manager in Cloud with Openflow Switches
Identity Manager in Cloud with Openflow SwitchesIdentity Manager in Cloud with Openflow Switches
Identity Manager in Cloud with Openflow Switches
Mohammad Faraji
 
Operating the Hyperscale Cloud
Operating the Hyperscale CloudOperating the Hyperscale Cloud
Operating the Hyperscale Cloud
Open Stack
 
Understanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and TechnologyUnderstanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and Technology
WSO2
 
WSO2 Carbon and WSO2 Stratos Summer Release Roundup
WSO2 Carbon and WSO2 Stratos Summer Release Roundup WSO2 Carbon and WSO2 Stratos Summer Release Roundup
WSO2 Carbon and WSO2 Stratos Summer Release Roundup
WSO2
 
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
VMware Tanzu
 
A Guide to the SOA Galaxy: Strategy, Design and Best Practices
A Guide to the SOA Galaxy: Strategy, Design and Best PracticesA Guide to the SOA Galaxy: Strategy, Design and Best Practices
A Guide to the SOA Galaxy: Strategy, Design and Best Practices
Dmitri Shiryaev
 

Similar a IdM in Smart Applications on Virtual Infrastructure (20)

Identity Manager in Cloud with Openflow Switches
Identity Manager in Cloud with Openflow SwitchesIdentity Manager in Cloud with Openflow Switches
Identity Manager in Cloud with Openflow Switches
 
CloudStack Collaboration Conference 12; Refactoring cloud stack
CloudStack Collaboration Conference 12; Refactoring cloud stackCloudStack Collaboration Conference 12; Refactoring cloud stack
CloudStack Collaboration Conference 12; Refactoring cloud stack
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Windows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesWindows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block Services
 
Operating the Hyperscale Cloud
Operating the Hyperscale CloudOperating the Hyperscale Cloud
Operating the Hyperscale Cloud
 
oracle-osb
oracle-osboracle-osb
oracle-osb
 
Docker Dublin: Just What is a Service Mesh, and if I get one will it make eve...
Docker Dublin: Just What is a Service Mesh, and if I get one will it make eve...Docker Dublin: Just What is a Service Mesh, and if I get one will it make eve...
Docker Dublin: Just What is a Service Mesh, and if I get one will it make eve...
 
Oracle Application Management Suite
Oracle Application Management SuiteOracle Application Management Suite
Oracle Application Management Suite
 
Meetup open stack_grizzly
Meetup open stack_grizzlyMeetup open stack_grizzly
Meetup open stack_grizzly
 
Understanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and TechnologyUnderstanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and Technology
 
AWS Serverless API Management - Meetup
AWS Serverless API Management - MeetupAWS Serverless API Management - Meetup
AWS Serverless API Management - Meetup
 
Istio presentation jhug
Istio presentation jhugIstio presentation jhug
Istio presentation jhug
 
WSO2 Carbon and WSO2 Stratos Summer Release Roundup
WSO2 Carbon and WSO2 Stratos Summer Release Roundup WSO2 Carbon and WSO2 Stratos Summer Release Roundup
WSO2 Carbon and WSO2 Stratos Summer Release Roundup
 
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014Recipes for a successful production cloudfoundry deployment - CF Summit 2014
Recipes for a successful production cloudfoundry deployment - CF Summit 2014
 
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
Cloud Foundry Cookbook: Recipes for a Successful Cloud Foundry Deployment in ...
 
Dell web monsters-oct2011-v6-public
Dell web monsters-oct2011-v6-publicDell web monsters-oct2011-v6-public
Dell web monsters-oct2011-v6-public
 
A Guide to the SOA Galaxy: Strategy, Design and Best Practices
A Guide to the SOA Galaxy: Strategy, Design and Best PracticesA Guide to the SOA Galaxy: Strategy, Design and Best Practices
A Guide to the SOA Galaxy: Strategy, Design and Best Practices
 
eBay From Ground Level to the Clouds
eBay From Ground Level to the CloudseBay From Ground Level to the Clouds
eBay From Ground Level to the Clouds
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
 
Introduction to the All New WSO2 Governance Centre
Introduction to the All New WSO2 Governance CentreIntroduction to the All New WSO2 Governance Centre
Introduction to the All New WSO2 Governance Centre
 

IdM in Smart Applications on Virtual Infrastructure

  • 1. Identity Manager Smart Applications on Virtual Infrastructure Presenter: M. Faraji
  • 2. Agenda • Introduction • SAVI Identity Manager • Keystone in SAVI • Goals and Contributions • Authorization • RBAC • ABAC • Federation • Authentication • Authorization
  • 3. SAVI Clearinghouse • Clearinghouse is a system that brokers trust between C&M plane and resources. It is the only component that every entity in SAVI TB fully trusts. • Components • AAA (Authentication, Authorization, Accounting) • Intrusion Detection network • Incident Handling
  • 4. Identity Manager Tasks • Identity establishment: Distinguishes users • Authentication: verifies identity claim • Authorization: permits user’s request • Accounting: keeps track of usage • Federation: extends resources • Complementary duties • Service Catalog: lists available services • Service Discovery: keeps up with the latest changes
  • 7. Keystone • Keystone is the identity Manager in Openstack • It is written in Python
  • 8. How Keystone works with others
  • 10. SAVI needs Central Keystone REST REST REST REST GraphDB (neo4j) Glance-reg Keystone SAVI TB Monitoring & C&M Resource Measurement Image Service AAA Framework Registry Registry Registry services services REST REST REST REST SOAP REST REST SOAP REST REST M&M M&M nova, Ryu cheetah whale nova, Ryu cheetah whale (OMF) (OMF) swift, swift, glance glance Network VANI Resource Network VANI Resource OpenStack Manager Enhanced Configuration OpenStack Manager Enhanced Configuration Edge Node Cloud Computing Edge Node Other SAVI Core Node Cloud Computing Resources Network Resources Resources
  • 11. Keystone (January 2011) • Password Authentication • Token Validation • Simple rule based Access control • Middleware to Openstack components
  • 12. Token Request Authenticated Request for Service Verification Verified Response from the service
  • 13. Middleware Auth Token EC2 Token Request for SWIFT Keystone Cons • Need network to verify • Keystone becomes chockpoint • Is UUID Random Request
  • 14. How original Keystone meets SAVI requirements • Authentication + Password-based • Strong authentication • Authorization + Simple Match (either admin or not) • RBAC • ABAC • Accounting • Service Discovery + Simple Service Catalog • Service Information • Service Registry • Federation (OAUTH, OpenID, SAML)
  • 15. Goals 1. Integration of Keystone with SAVI TB C&M (VANI) 2. Deploying Central Keystone 3. Implementing fine-grained access control 4. Federation with other testbeds
  • 16. Goal (1): SAVI C&M Integration • Writing middleware to connect SAVI control service to Keystone (Wilson Project) • Writing Client library to enable user to use keystone as identity provider (Griffin Project)
  • 17. Wilson • A java middleware that connect SAVI in-house developed components to Keystone (cheetah, HW) SAVI Control Service Wilson Keystone (Cheetah) • Now, Cheetah does authorization and authentication through Wilson • https://github.com/savi-dev/wilson
  • 18. Griffin • Clients can use Griffin to use Keystone as IdM if it is Java • https://github.com/savi-dev/griffin • Tasks: • Authentication & Authorization • TenantManagement • User Management • Service Management
  • 19. SAVI Control Service Wilson Keystone (Cheetah) Griffin Application or User
  • 20. Goal (2): Central Keystone • Clean up Keystone source code • Implementing Central Keystone ( devstack Project) • Adding concept of domain to Keystone • Restructure role API calls to be specific to (user, project) or (user, domain) • Offline Token validation • Generalized credentials associated with a user/project combo (ec2, pki, ssh keys, etc) • Bidirectional Authentication
  • 21. Domain • A group of project • Domains are administratively independent • User can have role in domain or project • Each domain has its own intrusion detection mechanism
  • 22. Offline Token verfication • PKIS signed Tokens • Cryptographically signed Text • Crypto Message Syntax (SMIME) • Content of “Verify” • Signed with Keystone Private Key • Verified using • Openssl • Public certificate • Can also be verified using HTTP
  • 23. Token verification Online Verification Offline Verification
  • 24. Goal (3): Fine-grained Access Control Empty Role Capability RBAC Constraint RBAC ABAC
  • 25. Empty Role Service Admin Keystone Action 1 Action 2 Action 3 User
  • 26. Constraint RBAC Admin User Keystone Capability User Action 1 Action 2 Action 3
  • 27. Capability Grammar Resource: Action:[Policy] • Compute • Get resource • Rule • Object-store • Release resource • rule:admin_rule • Quantum • etc • Role • Identity • role:admin • Glance • General • Control • project_id: %(project_id) • HW • Combination • EC2
  • 28. Capability example "admin_required": [["role:admin"], ["is_admin:1"]], "identity:get_service": [["rule:admin_required"]], "identity:list_services": [["rule:admin_required"]], "identity:get_endpoint": [["rule:admin_required"]], “compute:create”: [["rule:admin_required"]], “compute:create:attach_network”: [["rule:admin_required"]], “compute_extension:admin_actions:resetNetwork”: [["rule:admin_required"]], “network:get_all_networks”: [["rule:admin_required"]], “network:allocate_for_instance”: [["rule:admin_required"]],
  • 29. Constraint RBAC • Resources are different • A user may have access to a resource id but not others although they have same type • Actions may be limited • Admins can write stored procedures
  • 30. Attribute Based Access Control (ABAC) – Attributes Defined • Subject Attributes • Related to a subject (e.g. user, application, process) that defines the identity and characteristics of the subject • E.g. identifier, name, job title, role • Resource Attributes • Associated with a resource (web service, system function, or data) • E.g. Dublin Core metadata elements • Environment Attributes • Describes the operational, technical, or situational environment or context in which the information access occurs • E.g. current date time, current threat level, network security classification
  • 31. ABAC Policy Formulation 1. S, R, and E are subjects, resources, and environments, respectively; 2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre-defined attributes for subjects, resources, and environments, respectively; 3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for subject s, resource r, and environment e, respectively: ATTR (s ) SA1 SA 2 ... SA K ATTR (r ) RA1 RA2 ... RAM ATTR (e) EA1 EA 2 ... EA N
  • 32. ABAC in SAVI Researcher SA Edge Node SOAP Msg 1 3 Resources Control Service APIs Web 1 SA 2 RA Access Service Catalog Trust Anchor EA Control (Beacon) SA Policy Attribute Admin. Policy Unit Service & Policy Identity Services Provider
  • 33. Goal (4): Federation • Aspects • Authentication • Authorization • Federation allows • Different Smart edges users to work together • SAVI serves other testbed users • SAVI researchers use other testbed
  • 34. Authentication Interoperability Security Assertion Markup Language - SAML Policy Policy Policy Credentials Authentication Attribute Policy Decision Collector Authority Authority Point SAML Authentication Attribute Authorization Assertion Assertion Decision Assertion System Application Policy Enforcement Entity Request Point Source: OASIS SAML Standard
  • 35. Authorization Interoperability eXtensible Access Control Markup Language – XACML XACML Policy Policy Serve in SAVI XML XML XML XML XACML XACML XACML XACML Federation Layer Virtualization Openflow Switch Firewall • Policy server distributes policy changes to all network elements using XACML 35
  • 36. SAVI Federation Architecture SAVI Federation Oversight SAVI Core node Trust Anchor (Keystone) Domain Admin Service Accounting User 1 User 2 User 3 SAVI edge (Beacon) node Repository Testbed Identity Providers   Remote  Datacenters 
  • 37. Other components … • Clearinghouse has two more components • Intrusion Detection Network • Incident Handling module
  • 38. Intrusion Detection Network Resource Traffic Resource Traffic Agent Agent Policy Policy data data Swarm Intelligence Brain Brain Status , Policy Situational Awareness Sergeant Human Policy Guidance Domain
  • 39. Incident Types • Malicious code • Disruption of service attacks • Unauthorized use / • Unauthorized access Misuse • Attempted intrusion • Infraction of Policy • Reconnaissance • Illegal activity • System compromise/ • Espionage intrusion • Hoaxes (False • Loss of, theft of or Information) missing assets, data, etc.
  • 41. THANKS FOR YOUR PATIENCE