openstack team mailing list archive

Thread
Date

Proposing an Identity Service in OpenStack (a.k.a. Auth)

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: Ziad Sawalha <ziad@xxxxxxxxxxx>
Date: Mon, 18 Apr 2011 06:42:22 -0500
Accept-language: en-US
Acceptlanguage: en-US
Thread-index: Acv9va0fgi3uhFQgT6iJK8ifWbDC/A==
Thread-topic: Proposing an Identity Service in OpenStack (a.k.a. Auth)

Hi Everyone,

For OpenStack to achieve the goal of being a "massively scalable cloud operating system", it needs a common approach to some of the problems that an "operating system"deals with such as Authentication (auth-n) and Authorization (auth-z). There has been much discussion on the topic (see below) so we are proposing we combine all these efforts into a new OpenStack project that addresses the auth of all other projects.

I would like to raise this for discussion at the upcoming summit in Santa Clara and put forward the following as a starting point for the discussion:

SCOPE
The potential scope for an auth service is huge; this is not a simple problem, especially when you deal with authorization and, eventually, usage metering. We suggest we start with a minimum viable product (MVP) and that the most immediate requirements that need to be addressed are what has already been solved for in Swift and Nova today.

We propose to start building in (1-2 week) iterations during the Diablo development phase:
* One Service: there should be one auth-n service (this does not presume or preclude auth-z)
* Service is a new Core service
* Protocol: initial implementation of Rackspace auth token
* Anyscale: single dev machine to globally distributed
* Integrate with Swift, Nova
* Independent: I can run this on its own (no coupling to other services). Therefore can be installed and run with any services that are OpenStack compatible.

TIMELINE
Iteration 0 (1-2 weeks): MVP prototype
* blueprint
* We need lightweight delegation (one tenant / multiple users) on validate (this extends scope of what is in Rackspace and Swift, but is needed for Nova)
* No delegation beyond existing Nova and Swift implementation
* Using a Token
* Admin is handled by "groups" (roles) - only group allowed to be returned is ADMIN
* nothing as a Service for testing.

Post MVP: iteration 2/3/...: defined from subset of backlog & feedback from community

Backlog:
* migration path from cactus
* support for ec2 & openstack api
* zones support
* authz by group/role/attribute/... with pluggable Policy Engine
* Pluggable back-end (ex: database, LDAP, Active Directory, PAM, Swift)
* rbac / roles
* Delegation
* OAuth for solving 3rd party partner problem / federation
* (Generic?) Organizational Model
* user management API


DESIGN SUMMIT
* We are looking forward to starting a discussion with the community on how to incrementally define and execute on a common Auth system for OpenStack


ADDITIONAL INFORMATION
For reference, existing blueprints and discussions on the topic are:

SPECS and CODE
http://wiki.openstack.org/AuthnAuthz (spec and discussion)
http://wiki.openstack.org/openstack-authn (spec)
http://bazaar.launchpad.net/~anso/nova/authn_and_authz/revision/770 (auth service prototype)
https://code.launchpad.net/~khussein/swift/authn (middleware proposal)

SWIFT
https://blueprints.launchpad.net/swift/+spec/swift-authn
https://blueprints.launchpad.net/swift/+spec/bexar-swauth

NOVA
https://blueprints.launchpad.net/nova/+spec/authentication-consistency
https://blueprints.launchpad.net/nova/+spec/nova-authn

GLANCE
https://blueprints.launchpad.net/glance/+spec/authentication

BURROW
https://blueprints.launchpad.net/burrow/+spec/openstack-auth-ldap

Regards,
Ziad

Follow ups

Re: Proposing an Identity Service in OpenStack (a.k.a. Auth)
From: Eric Day, 2011-04-18
Re: Proposing an Identity Service in OpenStack (a.k.a. Auth)
From: Sandy Walsh, 2011-04-18