WHO THE HECK ARE YOU? INTEGRATING SSO INTO APACHE CLOUDSTACK John Burwell ([email protected] | [email protected] @john_burwell) Tuesday, June 25, 13 

Who The Heck Am I • Apache CloudStack PMC Member • Consulting Engineer @ Basho Technologies • Ran operations and designed automated provisioning for hybrid analytic/virtualization clouds • Led architectural design and server-side development of a SaaS physical security platform Tuesday, June 25, 13 

CloudStack Authentication 1.

Current Capabilities • Username/password authentication • Pluggable credential repositories (MySQL, LDAP) • Pluggable password hashing (SHA256, MD5) Tuesday, June 25, 13 

Some Users Require More • Regulated environments (HIPPA, SOX) • Enterprises with existing security infrastructure • Service providers Tuesday, June 25, 13 

Authenticate Once, Access Many CloudStack User Session Ticket Object Store PaaS Internal Application Tuesday, June 25, 13 

Governance • Multi-factor authentication (tokens, biometrics, ...) • Password policy enforcement • System access audit trails • Location-based access rules Tuesday, June 25, 13 

To meet these requirements ... Tuesday, June 25, 13 

SSO = Single Sign-On Tuesday, June 25, 13 

Centralized authentication mechanism that permits a user to authenticate once to access multiple systems. Tuesday, June 25, 13 

Doesn’t LDAP already do that? Tuesday, June 25, 13 

LDAP is a credential store SSO provides an authentication service that uses credential stores where Tuesday, June 25, 13 

Capabilities • Multiple Authentication Methods • Password Policy Enforcement/Reset • Session Management including Remember Me? • Integration with Multiple Credential Stores Tuesday, June 25, 13 

HOW IT WORKS 1.

SSO so great. Why not everyone use? Tuesday, June 25, 13 

COMPLEXITY Tuesday, June 25, 13 

Complicating Factors • Potential single point of failure • Additional service to configure, deploy, and monitor • Potential performance/scalability bottleneck Tuesday, June 25, 13 

Safety Convenience Let users determine the balance that best meets their requirements. Tuesday, June 25, 13 

We need pluggable authentication providers ... Tuesday, June 25, 13 

... but you can’t be a little bit secure. Tuesday, June 25, 13 

Security Domain Account User Ticket Session Profile Permission Role Credential Tuesday, June 25, 13 

Security Services • Authentication and Authorization Providers • User/Role Provisioning/Termination • Session Management • Credential Management Tuesday, June 25, 13 

SSO Integration Proposal Tuesday, June 25, 13 

Next Release (4.3) • Implement security framework • Factor current CloudStack authentication/authorization into a framework plugin • Develop an SSO authentication framework plugin • Current CloudStack authentication/authorization will be configured by default Tuesday, June 25, 13 

We build a cloud orchestration platform. Tuesday, June 25, 13 

JAAS • Pros • Standard • Cons • Requires a JEE application server • No runtime pluggability Tuesday, June 25, 13 

Spring Security • Pros • Robust declarative programming model • Natural integration with current Spring implementation • Cons • Complex runtime extension model • Increases coupling with Spring Tuesday, June 25, 13 

Apache Shiro • Pros • Straight-forward extension model • Lightweight POJO model with support for Spring integration • Cons • May not be capable of meeting the data storage requirements Tuesday, June 25, 13 

... and the winner is None yet but no JAAS Tuesday, June 25, 13 

Which SSO? CAS +0440 Keystone Facebook Login Google Single Sign-On OpenID Amazon  IAM Active Directory Oracle Identity Management Server IBM Security Access Manager OAuth SASL 4".- KERBEROS Multi-factor Authentication Password hashing Password Aging Password Strength Session Management LDAP Tuesday, June 25, 13 

SSO Landscape Protocols/Standards Keystone, Kerberos, OAuth, OpenID, SAML, SASL Platforms Amazon IAM, Active Directory, CAS, Facebook Login, JOSSO, Google Single Sign- On, Keystone, IBM Security Access Manager, Oracle Identity Management Methods/Operations Multi-factor Authentication, Password Reset, Remember me? Policies Password aging, strength, and hashing, Session Management Stores LDAP, Relational Databases Tuesday, June 25, 13 

Selection Criteria • Protocols/Standards with open source implementations • Allow the integration of additional cloud services (object storage, PaaS, ...) Finalists: OAuth, Keystone, and SAML Tuesday, June 25, 13 

OAuth/Oauth2 • Pros • Wide adoption • Support both user and application authentication • Cons • Turmoil around the OAuth2 specification • Potential security holes due to design flaws • Lack of support from complementary cloud technologies Tuesday, June 25, 13 

Keystone • Pros • Momentum • Designed to support cloud identity management • Supported by technologies complementary to CloudStack (e.g. Riak CS, Swift ...) • Cons • Limited, but growing to third party support • Evolving standard specification and operation Tuesday, June 25, 13 

SAML • Pros • Stable specification • Wide support • Cons • Complexity • Lack of support from complementary cloud technologies Tuesday, June 25, 13 

Keystone ... and the winner is Tuesday, June 25, 13 

Future Directions • AWS API support for Amazon IAM • Fine grained Authorization • Automated Password Reset • Application Audit Trails • SAML Plugin Tuesday, June 25, 13 

Summary • Current CloudStack authentication supports many use cases • SSO integration would allow CloudStack to meet advanced authentication requirements • Introduce a security framework to provide users the flexility to balance operational complexity and security • For 4.3, factor current authentication mechanism into the new framework and provide a Keystone implementation Tuesday, June 25, 13 

Thoughts? Questions? Tuesday, June 25, 13 

Thank you! Slides available @ http://speakerdeck.com/jburwell Tuesday, June 25, 13