openstack team mailing list archive

Thread
Date

Federated Access To OpenStack

To: openstack@xxxxxxxxxxxxxxxxxxx
From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date: Sun, 05 Aug 2012 23:16:24 +0100
Cc: ISSR Group <issr-group@xxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0

Hi Everyone

during the last few weeks we have been working on adding federatedaccess to Open Stack. The basic system is now working in our lab, andclients for nova, swift and glance have been modified in order to allowfederated access through a set of federated APIs that we have designedand built. The specifications for the APIs and implementation have beenuploaded to DropBox and are available here:


http://dl.dropbox.com/u/44986510/Adding%20federated%20access%20to%20OpenStack%201.pdf
http://dl.dropbox.com/u/44986510/Client%20Connection%20API%20v1.pdf
http://dl.dropbox.com/u/44986510/Federated%20Middleware%20Services-v1.pdf
http://dl.dropbox.com/u/44986510/UserGuide.pdf

All comments and feedback from the community will be gratefully received.

We currently use SAML as the federated access protocol, since a Pythonlibrary for this already exists, but this can be changed to OpenID OAuthor anything else without changing the specifications or the clientimplementations (so we hope from the design). Only the federatedmiddleware will need to change, and we can do this once suitablepackages become available in Python.

We hope to have public demos available by the end of this week, once wecan sort out the university firewall and other issues.

A use case we have for our federated access is an open source researchrepository in the cloud for the UK academic community. Since all UKstudents and staff (up to 1 million people) already have their ownuniversity un/pws, they should be able to login to the cloud repositoryusing their existing credentials, in order to store and share theirresearch outputs with others. They should not need to obtain new un/pwsin order to access the cloud service. Our federated access to OpenStackprovides this functionality. Users who can successfully identifythemselves as members of the UK academic community will be automaticallyenrolled as cloud users and given appropriate tenant IDs.

I look forward to having fruitful discussions with you about federatedaccess to OpenStack.


regards

David