Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keystone v3, Single Sign On, and Multi-Domain in a managed cloud

Keystone v3, Single Sign On, and Multi-Domain in a managed cloud

OpenStack Summit - Austin 2016

David Grizzanti

April 25, 2016
Tweet

More Decks by David Grizzanti

Other Decks in Technology

Transcript

  1. © 2016 Sungard Availability Services, all rights reserved Keystone v3,

    Single Sign On, and Mul?-Domain in a managed cloud David Grizzan+ OpenStack Summit Aus+n 2016
  2. 2 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Overview ▼  Need for mul?-domain and SSO support at Sungard ▼  Horizon ▼  SSO with Keystone and Horizon ▼  Policy file updates ▼  Why not federa?on? ▼  Lingering issues
  3. 3 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Need for Mul?-Domain @ Sungard ▼  PlaPorm offering is a mix of public and managed cloud ▼  Mul?-tenant ▼  True “self-service” portal required separa?on of projects by domain ▼  Allow for company admins to managed users and projects within their environment
  4. 4 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Requirements for mul?-domain ▼  Domain/Project Isola?on Domain as Company Project as “workplace" ▼  Allow an “admin” in the domain to manage users and projects ▼  New role “domain admin” to allow for managing these iden?ty concepts, separate from project admin Needed to separate these for policy
  5. 5 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Horizon ▼  Domain scoped tokens - patch 62 Pull in patches to support project and domain support Mul?-token management Patchset is up to 111, haven’t compared since we went with 62 ▼  Django openstack auth Updates to handle auth from SSO
  6. 6 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Single Sign On / External Iden?ty Provider ▼  django openstack auth Passing domain name correctly a`er auth to Horizon Handle auth pass from Keystone -> Horizon Exchanging of un-scoped to scoped tokens ▼  OIDC Using mod_auth_openidc to handle auth between OpenAM system and Keystone Running keystone under apache
  7. 7 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Policy File Updates ▼  Out of the box, anyone with “admin” role has access to resources in all projects Bad for mul?-tenant envs ▼  Added a custom role to use in place of context_is_admin rule in policy files Allows for assignment of admin on a project, but new role is reserved for select group of users
  8. 8 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Why Not Federa?on? ▼  From what we found in Juno, federa?on only supported group level assignments ▼  Needed more control over which users had access to which projects for a company
  9. 9 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Lingering Issues ▼  Auth for API access doesn’t work through external provider/ SSO ▼  Seeing session issues with mix of Horizon, Keystone, and SSO sessions/tokens
  10. 10 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Future ▼  Need to look at Federa?on and mul?-region support in Mitaka ▼  Considering replica?on to allow customers to use all sites without manual syncing ▼  Jump forward to Mitaka UI, pulling in patches where necessary
  11. 12 Sungard Availability Services Confiden?al and Proprietary © 2016 Sungard

    Availability Services, all rights reserved Patches ▼  Patches? hfps://github.com/promptworks/horizon/tree/domain- scoped-tokens-62-on-2015.1.0 hfps://github.com/promptworks/ django_openstack_auth/tree/pw-stable-kilo-patches Looks like Horizon is on patch set 111 now - haven’t looked at what other differences there are. Would like to jump to Mitaka and keep any changes we need