Date post: | 15-Jan-2015 |
Category: |
Documents |
Upload: | mohammad-faraji |
View: | 195 times |
Download: | 1 times |
Identity ManagerSmart Applications on Virtual InfrastructurePresenter: M. Faraji
Agenda • Introduction• SAVI Identity Manager• Keystone in SAVI• Goals and Contributions• Authorization
• RBAC• ABAC
• Federation• Authentication• Authorization
SAVI Clearinghouse• Clearinghouse is a system that brokers trust between C&M
plane and resources. It is the only component that every entity in SAVI TB fully trusts.
• Components• AAA (Authentication, Authorization, Accounting)• Intrusion Detection network• Incident Handling
Identity Manager Tasks• Identity establishment: Distinguishes users• Authentication: verifies identity claim• Authorization: permits user’s request• Accounting: keeps track of usage• Federation: extends resources • Complementary duties
• Service Catalog: lists available services• Service Discovery: keeps up with the latest changes
SAVI TB Architecture
Openstack Overview
Keystone • Keystone is the identity Manager in Openstack• It is written in Python
How Keystone works with others
Keystone work flow
Core NodeEdge Node
SAVI needs Central Keystone
ResourceRegistry
ImageRegistry
Cloud ComputingResources
Other SAVIResources
Edge NodeNetwork
nova, swift,
glance
cheetahRyu
OpenStackNetworkManager
whale
VANIEnhanced
ResourceConfiguration
nova, swift,
glance
OpenStack
Cloud ComputingResources
GraphDB (neo4j) Glance-reg
ServiceRegistry
KeystoneSAVI TB
C&M Framework
AAA
Monitoring &Measurement
REST RESTRESTSOAP REST
REST REST REST REST
servicesservices
M&M(OMF) cheetahRyu
NetworkManager
whale
VANIEnhanced
ResourceConfiguration
RESTSOAP
M&M(OMF)
REST RESTREST
Keystone (January 2011)• Password Authentication• Token Validation• Simple rule based Access control• Middleware to Openstack components
Token
Request Authenticated Request for Service
Verification Verified Response from the service
Middleware
Auth Token EC2 Token
Keystone
Cons• Need network to verify• Keystone becomes chockpoint• Is UUID Random
Request for SWIFT
Request
How original Keystone meets SAVI requirements• Authentication
+ Password-based• Strong authentication
• Authorization+ Simple Match (either admin or not)• RBAC• ABAC
• Accounting• Service Discovery
+ Simple Service Catalog• Service Information
• Service Registry• Federation (OAUTH, OpenID, SAML)
Goals
1. Integration of Keystone with SAVI TB C&M (VANI)2. Deploying Central Keystone3. Implementing fine-grained access control4. Federation with other testbeds
Goal (1): SAVI C&M Integration• Writing middleware to connect SAVI control service to
Keystone (Wilson Project)• Writing Client library to enable user to use keystone as identity
provider (Griffin Project)
Wilson• A java middleware that connect SAVI in-house developed components
to Keystone (cheetah, HW)
• Now, Cheetah does authorization and authentication through Wilson• https://github.com/savi-dev/wilson
SAVI Control Service(Cheetah)
KeystoneWilson
Griffin• Clients can use Griffin to use Keystone as IdM if it is Java• https://github.com/savi-dev/griffin• Tasks:
• Authentication & Authorization• TenantManagement• User Management • Service Management
SAVI Control Service(Cheetah)
KeystoneWilson
Griffin
Application or User
Goal (2): Central Keystone• Clean up Keystone source code• Implementing Central Keystone ( devstack Project)• Adding concept of domain to Keystone• Restructure role API calls to be specific to (user, project) or
(user, domain)• Offline Token validation• Generalized credentials associated with a user/project combo
(ec2, pki, ssh keys, etc)• Bidirectional Authentication
Domain• A group of project• Domains are administratively independent• User can have role in domain or project• Each domain has its own intrusion detection mechanism
Offline Token verfication• PKIS signed Tokens• Cryptographically signed Text
• Crypto Message Syntax (SMIME)• Content of “Verify”• Signed with Keystone Private Key• Verified using
• Openssl • Public certificate
• Can also be verified using HTTP
Token verification
Online Verification Offline Verification
Goal (3): Fine-grained Access Control
Empty Role
Capability RBAC
Constraint RBAC
ABAC
Keystone
Empty Role
AdminService
Action 1 Action 2 Action 3 User
Keystone
Constraint RBAC
UserAdmin
Action 1 Action 2 Action 3
User
Capability
Capability Grammar
Resource: Action:[Policy]
• Compute• Object-store• Quantum• Identity• Glance• Control• HW• EC2
• Get resource• Release resource• etc
• Rule• rule:admin_rule
• Role• role:admin
• General • project_id: %(project_id)
• Combination
Capability example"admin_required": [["role:admin"], ["is_admin:1"]],"identity:get_service": [["rule:admin_required"]],"identity:list_services": [["rule:admin_required"]],"identity:get_endpoint": [["rule:admin_required"]],
“compute:create”: [["rule:admin_required"]],“compute:create:attach_network”: [["rule:admin_required"]],“compute_extension:admin_actions:resetNetwork”: [["rule:admin_required"]],
“network:get_all_networks”: [["rule:admin_required"]],“network:allocate_for_instance”: [["rule:admin_required"]],
Constraint RBAC• Resources are different• A user may have access to a resource id but not others
although they have same type• Actions may be limited• Admins can write stored procedures
Attribute Based Access Control (ABAC) – Attributes Defined
• Subject Attributes• Related to a subject (e.g. user, application, process) that defines
the identity and characteristics of the subject• E.g. identifier, name, job title, role
• Resource Attributes• Associated with a resource (web service, system function, or
data)• E.g. Dublin Core metadata elements
• Environment Attributes• Describes the operational, technical, or situational environment
or context in which the information access occurs• E.g. current date time, current threat level, network security
classification
ABAC Policy Formulation
N
M
K
EAEAEAeATTR
RARARArATTR
SASASAsATTR
...)(
...)(
...)(
21
21
21
1. S, R, and E are subjects, resources, and environments, respectively;2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre-defined
attributes for subjects, resources, and environments, respectively;3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for
subject s, resource r, and environment e, respectively:
ABAC in SAVIEdge Node
Attribute& PolicyServices
Resources APIs
Con
trol
W
eb
Serv
ice
Policy Unit
Access Control
Service Catalog (Beacon)Trust Anchor
Researcher
SOAP Msg
SA
RA
1 3
2
PolicyAdmin.Service
SA
EA
Identity Provider
SA
1
Goal (4): Federation• Aspects
• Authentication• Authorization
• Federation allows• Different Smart edges users to work together• SAVI serves other testbed users• SAVI researchers use other testbed
Authentication Interoperability Security Assertion Markup Language - SAML
SAML
AuthenticationAssertion
AttributeAssertion
AuthorizationDecisionAssertion
AuthenticationAuthority
AttributeAuthority
Policy DecisionPoint
Policy EnforcementPoint
Policy Policy Policy
CredentialsCollector
SystemEntity
ApplicationRequest
Source: OASIS SAML Standard
Authorization InteroperabilityeXtensible Access Control Markup Language – XACML
• Policy server distributes policy changes to all network elements using XACML 35
Federation Layer Virtualization Openflow Switch Firewall
Policy
XML
XACML
XML
XACML
XML
XACML
XML
XACML
Policy Serve in SAVIXACML
SAVI Federation Architecture
SAVI Federation Oversight
Trust Anchor (Keystone)
SAVI Core node
SAVI edge node
Testbed
Remote Datacenters
Domain Admin
User 1 User 2 User 3
Identity Providers
Service Accounting (Beacon)
Repository
AuthenticationOAUTHOpen IDSAML
AuthorizationXACML
Other components …• Clearinghouse has two more components
• Intrusion Detection Network• Incident Handling module
Intrusion Detection Network
ResourceAgent
Traffic
Brain
Swarm Intelligence
ResourceAgent
Traffic
Brain
Sergeant
Domain
HumanPolicy
Policy Policy datadata
Status , Policy
Situational Awareness
Guidance
Incident Types• Malicious code
attacks• Unauthorized access
• Attempted intrusion• Reconnaissance
• System compromise/ intrusion
• Loss of, theft of or missing assets, data, etc.
• Disruption of service• Unauthorized use /
Misuse• Infraction of Policy• Illegal activity
• Espionage• Hoaxes (False
Information)
Incident Handling
THANKS FOR YOUR PATIENCE