Availability Services, all rights reserved Overview ▼ Need for mul?-domain and SSO support at Sungard ▼ Horizon ▼ SSO with Keystone and Horizon ▼ Policy file updates ▼ Why not federa?on? ▼ Lingering issues
Availability Services, all rights reserved Need for Mul?-Domain @ Sungard ▼ PlaPorm offering is a mix of public and managed cloud ▼ Mul?-tenant ▼ True “self-service” portal required separa?on of projects by domain ▼ Allow for company admins to managed users and projects within their environment
Availability Services, all rights reserved Requirements for mul?-domain ▼ Domain/Project Isola?on Domain as Company Project as “workplace" ▼ Allow an “admin” in the domain to manage users and projects ▼ New role “domain admin” to allow for managing these iden?ty concepts, separate from project admin Needed to separate these for policy
Availability Services, all rights reserved Horizon ▼ Domain scoped tokens - patch 62 Pull in patches to support project and domain support Mul?-token management Patchset is up to 111, haven’t compared since we went with 62 ▼ Django openstack auth Updates to handle auth from SSO
Availability Services, all rights reserved Single Sign On / External Iden?ty Provider ▼ django openstack auth Passing domain name correctly a`er auth to Horizon Handle auth pass from Keystone -> Horizon Exchanging of un-scoped to scoped tokens ▼ OIDC Using mod_auth_openidc to handle auth between OpenAM system and Keystone Running keystone under apache
Availability Services, all rights reserved Policy File Updates ▼ Out of the box, anyone with “admin” role has access to resources in all projects Bad for mul?-tenant envs ▼ Added a custom role to use in place of context_is_admin rule in policy files Allows for assignment of admin on a project, but new role is reserved for select group of users
Availability Services, all rights reserved Why Not Federa?on? ▼ From what we found in Juno, federa?on only supported group level assignments ▼ Needed more control over which users had access to which projects for a company
Availability Services, all rights reserved Lingering Issues ▼ Auth for API access doesn’t work through external provider/ SSO ▼ Seeing session issues with mix of Horizon, Keystone, and SSO sessions/tokens
Availability Services, all rights reserved Future ▼ Need to look at Federa?on and mul?-region support in Mitaka ▼ Considering replica?on to allow customers to use all sites without manual syncing ▼ Jump forward to Mitaka UI, pulling in patches where necessary
Availability Services, all rights reserved Patches ▼ Patches? hfps://github.com/promptworks/horizon/tree/domain- scoped-tokens-62-on-2015.1.0 hfps://github.com/promptworks/ django_openstack_auth/tree/pw-stable-kilo-patches Looks like Horizon is on patch set 111 now - haven’t looked at what other differences there are. Would like to jump to Mitaka and keep any changes we need