Identity ManagerSmart Applications on Virtual InfrastructurePresenter: M. Faraji

Agenda • Introduction• SAVI Identity Manager• Keystone in SAVI• Goals and Contributions• Authorization

• RBAC• ABAC

• Federation• Authentication• Authorization

SAVI Clearinghouse• Clearinghouse is a system that brokers trust between C&M

plane and resources. It is the only component that every entity in SAVI TB fully trusts.

• Components• AAA (Authentication, Authorization, Accounting)• Intrusion Detection network• Incident Handling

Identity Manager Tasks• Identity establishment: Distinguishes users• Authentication: verifies identity claim• Authorization: permits user’s request• Accounting: keeps track of usage• Federation: extends resources • Complementary duties

• Service Catalog: lists available services• Service Discovery: keeps up with the latest changes

SAVI TB Architecture

Openstack Overview

Keystone • Keystone is the identity Manager in Openstack• It is written in Python

How Keystone works with others

Keystone work flow

Core NodeEdge Node

SAVI needs Central Keystone

ResourceRegistry

ImageRegistry

Cloud ComputingResources

Other SAVIResources

Edge NodeNetwork

nova, swift,

glance

cheetahRyu

OpenStackNetworkManager

whale

VANIEnhanced

ResourceConfiguration

nova, swift,

glance

OpenStack

Cloud ComputingResources

GraphDB (neo4j) Glance-reg

ServiceRegistry

KeystoneSAVI TB

C&M Framework

AAA

Monitoring &Measurement

REST RESTRESTSOAP REST

REST REST REST REST

servicesservices

M&M(OMF) cheetahRyu

NetworkManager

whale

VANIEnhanced

ResourceConfiguration

RESTSOAP

M&M(OMF)

REST RESTREST

Keystone (January 2011)• Password Authentication• Token Validation• Simple rule based Access control• Middleware to Openstack components

Token

Request Authenticated Request for Service

Verification Verified Response from the service

Middleware

Auth Token EC2 Token

Keystone

Cons• Need network to verify• Keystone becomes chockpoint• Is UUID Random

Request for SWIFT

Request

How original Keystone meets SAVI requirements• Authentication

+ Password-based• Strong authentication

• Authorization+ Simple Match (either admin or not)• RBAC• ABAC

• Accounting• Service Discovery

+ Simple Service Catalog• Service Information

• Service Registry• Federation (OAUTH, OpenID, SAML)

Goals

1. Integration of Keystone with SAVI TB C&M (VANI)2. Deploying Central Keystone3. Implementing fine-grained access control4. Federation with other testbeds

Goal (1): SAVI C&M Integration• Writing middleware to connect SAVI control service to

Keystone (Wilson Project)• Writing Client library to enable user to use keystone as identity

provider (Griffin Project)

Wilson• A java middleware that connect SAVI in-house developed components

to Keystone (cheetah, HW)

• Now, Cheetah does authorization and authentication through Wilson• https://github.com/savi-dev/wilson

SAVI Control Service(Cheetah)

KeystoneWilson

Griffin• Clients can use Griffin to use Keystone as IdM if it is Java• https://github.com/savi-dev/griffin• Tasks:

• Authentication & Authorization• TenantManagement• User Management • Service Management

SAVI Control Service(Cheetah)

KeystoneWilson

Griffin

Application or User

Goal (2): Central Keystone• Clean up Keystone source code• Implementing Central Keystone ( devstack Project)• Adding concept of domain to Keystone• Restructure role API calls to be specific to (user, project) or

(user, domain)• Offline Token validation• Generalized credentials associated with a user/project combo

(ec2, pki, ssh keys, etc)• Bidirectional Authentication

Domain• A group of project• Domains are administratively independent• User can have role in domain or project• Each domain has its own intrusion detection mechanism

Offline Token verfication• PKIS signed Tokens• Cryptographically signed Text

• Crypto Message Syntax (SMIME)• Content of “Verify”• Signed with Keystone Private Key• Verified using

• Openssl • Public certificate

• Can also be verified using HTTP

Token verification

Online Verification Offline Verification

Goal (3): Fine-grained Access Control

Empty Role

Capability RBAC

Constraint RBAC

ABAC

Keystone

Empty Role

AdminService

Action 1 Action 2 Action 3 User

Keystone

Constraint RBAC

UserAdmin

Action 1 Action 2 Action 3

User

Capability

Capability Grammar

Resource: Action:[Policy]

• Compute• Object-store• Quantum• Identity• Glance• Control• HW• EC2

• Get resource• Release resource• etc

• Rule• rule:admin_rule

• Role• role:admin

• General • project_id: %(project_id)

• Combination

Capability example"admin_required": [["role:admin"], ["is_admin:1"]],"identity:get_service": [["rule:admin_required"]],"identity:list_services": [["rule:admin_required"]],"identity:get_endpoint": [["rule:admin_required"]],

“compute:create”: [["rule:admin_required"]],“compute:create:attach_network”: [["rule:admin_required"]],“compute_extension:admin_actions:resetNetwork”: [["rule:admin_required"]],

“network:get_all_networks”: [["rule:admin_required"]],“network:allocate_for_instance”: [["rule:admin_required"]],

Constraint RBAC• Resources are different• A user may have access to a resource id but not others

although they have same type• Actions may be limited• Admins can write stored procedures

Attribute Based Access Control (ABAC) – Attributes Defined

• Subject Attributes• Related to a subject (e.g. user, application, process) that defines

the identity and characteristics of the subject• E.g. identifier, name, job title, role

• Resource Attributes• Associated with a resource (web service, system function, or

data)• E.g. Dublin Core metadata elements

• Environment Attributes• Describes the operational, technical, or situational environment

or context in which the information access occurs• E.g. current date time, current threat level, network security

classification

ABAC Policy Formulation

N

M

K

EAEAEAeATTR

RARARArATTR

SASASAsATTR

...)(

...)(

...)(

21

21

21

1. S, R, and E are subjects, resources, and environments, respectively;2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre-defined

attributes for subjects, resources, and environments, respectively;3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for

subject s, resource r, and environment e, respectively:

ABAC in SAVIEdge Node

Attribute& PolicyServices

Resources APIs

Con

trol

W

eb

Serv

ice

Policy Unit

Access Control

Service Catalog (Beacon)Trust Anchor

Researcher

SOAP Msg

SA

RA

1 3

2

PolicyAdmin.Service

SA

EA

Identity Provider

SA

1

Goal (4): Federation• Aspects

• Authentication• Authorization

• Federation allows• Different Smart edges users to work together• SAVI serves other testbed users• SAVI researchers use other testbed

Authentication Interoperability Security Assertion Markup Language - SAML

SAML

AuthenticationAssertion

AttributeAssertion

AuthorizationDecisionAssertion

AuthenticationAuthority

AttributeAuthority

Policy DecisionPoint

Policy EnforcementPoint

Policy Policy Policy

CredentialsCollector

SystemEntity

ApplicationRequest

Source: OASIS SAML Standard

Authorization InteroperabilityeXtensible Access Control Markup Language – XACML

• Policy server distributes policy changes to all network elements using XACML 35

Federation Layer Virtualization Openflow Switch Firewall

Policy

XML

XACML

XML

XACML

XML

XACML

XML

XACML

Policy Serve in SAVIXACML

SAVI Federation Architecture

SAVI Federation Oversight

Trust Anchor (Keystone)

SAVI Core node

SAVI edge node

Testbed

Remote Datacenters

Domain Admin

User 1 User 2 User 3

Identity Providers

Service Accounting (Beacon)

Repository

AuthenticationOAUTHOpen IDSAML

AuthorizationXACML

Other components …• Clearinghouse has two more components

• Intrusion Detection Network• Incident Handling module

Intrusion Detection Network

ResourceAgent

Traffic

Brain

Swarm Intelligence

ResourceAgent

Traffic

Brain

Sergeant

Domain

HumanPolicy

Policy Policy datadata

Status , Policy

Situational Awareness

Guidance

Incident Types• Malicious code

attacks• Unauthorized access

• Attempted intrusion• Reconnaissance

• System compromise/ intrusion

• Loss of, theft of or missing assets, data, etc.

• Disruption of service• Unauthorized use /

Misuse• Infraction of Policy• Illegal activity

• Espionage• Hoaxes (False

Information)

Incident Handling

THANKS FOR YOUR PATIENCE