Bridging Clouds with Keystone to Keystone Federation Vishakha - - PowerPoint PPT Presentation

bridging clouds
SMART_READER_LITE
LIVE PREVIEW

Bridging Clouds with Keystone to Keystone Federation Vishakha - - PowerPoint PPT Presentation

Feb 17, 2024 265 likes •573 views

Bridging Clouds with Keystone to Keystone Federation Vishakha Agarwal Colleen Murphy Who are we? Vishakha Agarwal (vishakha) Senior Member Technical Staff at NEC Keystone contributor Colleen Murphy (cmurphy)

slide-1
SLIDE 1

Bridging Clouds

with Keystone to Keystone Federation

Vishakha Agarwal Colleen Murphy

slide-2
SLIDE 2

Who are we?

  • Vishakha Agarwal (vishakha)
  • Senior Member Technical Staff at NEC
  • Keystone contributor
  • Colleen Murphy (cmurphy)
  • Cloud Developer at SUSE
  • Keystone PTL
slide-3
SLIDE 3

Overview

What is federated identity? What is Keystone to Keystone federation? History of Keystone to Keystone Terminology Auth flows Configuration Demonstration What's next?

slide-4
SLIDE 4

What is federated identity?

A shared, trusted source of identity information and means of authentication external to the keystone service.

slide-5
SLIDE 5

What is Keystone to Keystone federation?

Keystone acts as the trusted source and means of authentication to another keystone instance.

slide-6
SLIDE 6

History of Keystone to Keystone

  • Federation implemented in Icehouse
  • K2K implemented in Kilo
  • Created primarily for cloud bursting scenarios
  • Also for in-house multi-site deployments
slide-7
SLIDE 7

Modern use cases for K2K

  • Multi-site
  • Edge computing
slide-8
SLIDE 8

Terminology

  • Identity Provider (IdP)
  • The thing that accepts your credentials, validates them, and generates a

yay/nay response.

  • Service Provider (SP)
  • The thing with the resource we need.
  • For keystone, the service it provides is the tokens that we use on other

OpenStack services.

In a Keystone to Keystone configuration, one keystone instance is an IdP and one is an SP. They could also EACH be both an IdP and an SP!

slide-9
SLIDE 9

Terminology

  • SAML2.0
  • an XML-based federation protocol.
  • Assertion
  • a formatted statement from the Identity Provider that asserts that a user

is authenticated and provides some attributes about the user.

slide-10
SLIDE 10

Federation in Keystone

  • Shadow users
  • Keystone's local copy of a remote user's attributes
  • Allows for consistent handling of users coming from different sources,

especially with regard to role assignments

  • Mapping Rules
  • Keystone's JSON API map attributes from a SAML assertion to attributes
  • f a local keystone user
  • Handles both user identity (e.g. username) and authorization (group

membership or auto-provisioned role assignments)

slide-11
SLIDE 11

SAML2.0 Profiles

  • WebSSO
  • the basic SAML2.0 auth flow profile, involving a web browser
  • NOT used for K2K
  • ECP
  • SAML2.0 auth flow profile without a browser
  • K2K uses a modified form of this
slide-12
SLIDE 12

WebSSO Auth Flow

slide-13
SLIDE 13

Keystone to Keystone Auth Flow

slide-14
SLIDE 14

Setup keystone to keystone Federation

  • Start with two keystone installations, one for the Service Provider and
  • ne for the Identity Provider
  • Configure horizon for the Identity Provider
  • See the install guide https://docs.openstack.org/keystone/latest/install/
  • Tip: enable insecure_debug in keystone.conf to help debug auth

attempts during set up (disable for production!)

slide-15
SLIDE 15

Configure Keystone as Identity Provider

  • Install xmlsec1 and generate PKI key-pair.
  • Configure the SAML2.0 Identity Provider metadata in keystone.conf.

○ idp_entity_id ○ idp_sso_endpoint

  • Generate metadata for Identity Provider through keystone-manage.
slide-16
SLIDE 16

Configure Keystone as Identity Provider

  • Add more keys to keystone conf file

certfile and keyfile.

metadata of IDP

  • For instance - vi /etc /keystone/keystone.conf

[𝚝𝚋𝚗𝚖] 𝚓𝚎𝚚_𝚏𝚘𝚞𝚓𝚞𝚣_𝚓𝚎 = 𝚒𝚞𝚞𝚚://𝚓𝚎𝚚.𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏.𝚎𝚏𝚗𝚙/𝚓𝚎𝚚 𝚓𝚎𝚚_𝚝𝚝𝚙_𝚏𝚘𝚎𝚚𝚙𝚓𝚘𝚞 = 𝚒𝚞𝚞𝚚://𝚓𝚜𝚜𝚏𝚖𝚏𝚠𝚋𝚘𝚞 𝚍𝚏𝚜t𝚐𝚓𝚖𝚏 = /𝚏𝚞𝚍/𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏/𝚝𝚝𝚖/𝚍𝚏𝚜𝚞𝚝/𝚝𝚓𝚑𝚘𝚓𝚘𝚑_𝚍𝚏𝚜𝚞.𝚚𝚏𝚗 𝚕𝚏𝚣𝚐𝚓𝚖𝚏 = /𝚏𝚞𝚍/𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏/𝚝𝚝𝚖/𝚚𝚜𝚓𝚠𝚋𝚞𝚏/𝚝𝚓𝚑𝚘𝚓𝚘𝚑_𝚕𝚏𝚣.𝚚𝚏𝚗 𝚓𝚎𝚚_𝚗𝚏𝚞𝚋𝚎𝚋𝚞𝚋_𝚚𝚋𝚞𝚒 = /𝚏𝚞𝚍/𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏/𝚝𝚋𝚗𝚖𝟹_𝚓𝚎𝚚_𝚗𝚏𝚞𝚋𝚎𝚋𝚞𝚋.𝚢𝚗𝚖

slide-17
SLIDE 17

Configure Keystone as Service Provider

  • Create an identity provider resource with same entity id we configured in the

IDP (Here Remote ID is same as entityID of IDP)

$ 𝚙𝚚𝚏𝚘𝚝𝚞𝚋𝚍𝚕 𝚓𝚎𝚏𝚘𝚞𝚓𝚞𝚣 𝚚𝚜𝚙𝚠𝚓𝚎𝚏𝚜 𝚍𝚜𝚏𝚋𝚞𝚏 \

  • -𝚜𝚏𝚗𝚙𝚞𝚏-𝚓𝚎 𝚒𝚞𝚞𝚚://𝚓𝚎𝚚.𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏.𝚎𝚏𝚗𝚙/𝚓𝚎𝚚 𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏𝚓𝚎𝚚

Note - We can grep the remote id by making curl request to its metadata endpoint.

$ 𝚍𝚟𝚜𝚖 -𝚝 𝚒𝚞𝚞𝚚://𝚓𝚎𝚚.keystone.𝚎𝚏𝚗𝚙/v3/OS-FEDERATION/saml2/metadata | 𝚑𝚜𝚏𝚚 𝚏𝚘𝚞𝚓𝚞𝚣𝙹𝙴 <𝙵𝚘𝚞𝚓𝚞𝚣𝙴𝚏𝚝𝚍𝚜𝚓𝚚𝚞𝚙𝚜 𝚏𝚘𝚞𝚓𝚞𝚣𝙹𝙴="𝚟𝚜𝚘:𝚏𝚢𝚋𝚗𝚚𝚖𝚏:𝚓𝚎𝚚" 𝚢𝚗𝚖𝚘𝚝="𝚟𝚜𝚘:𝚙𝚋𝚝𝚓𝚝:𝚘𝚋𝚗𝚏𝚝: 𝚞𝚍:𝚃𝙱𝙽𝙼:𝟹.0:𝚗𝚏𝚞𝚋𝚎𝚋𝚞𝚋">

  • Create the group “federated_users” locally to which remote users will be

mapped and assign it with some role on a project.

$ 𝚙𝚚𝚏𝚘𝚝𝚞𝚋𝚍𝚕 𝚑𝚜𝚙𝚟𝚚 𝚍𝚜𝚏𝚋𝚞𝚏 𝚐𝚏𝚎𝚏𝚜𝚋𝚞𝚏𝚎_𝚟𝚝𝚏𝚜𝚝 $ 𝚙𝚚𝚏𝚘𝚝𝚞𝚋𝚍𝚕 𝚜𝚙𝚖𝚏 𝚋𝚎𝚎 --𝚑𝚜𝚙𝚟𝚚 𝚐𝚏𝚎𝚏𝚜𝚋𝚞𝚏𝚎_𝚟𝚝𝚏𝚜𝚝 --𝚚𝚜𝚙𝚔𝚏𝚍𝚞 𝚋𝚎𝚗𝚓𝚘 𝚋𝚎𝚗𝚓𝚘

slide-18
SLIDE 18

[ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "Default" }, "name": "federated_users" } } ], "remote": [ { "type": "openstack_user" } ] } ]

  • Create a JSON file for rules defining the Remote parameter mapped to local.
slide-19
SLIDE 19

Configure Keystone as Service Provider

  • Create mapping

$ 𝚙𝚚𝚏𝚘𝚝𝚞𝚋𝚍𝚕 𝚗𝚋𝚚𝚚𝚓𝚘𝚑 𝚍𝚜𝚏𝚋𝚞𝚏 --𝚜𝚟𝚖𝚏𝚝 𝚜𝚟𝚖𝚏𝚝.𝚔𝚝𝚙𝚘 𝚕𝟹𝚕𝚗𝚋𝚚

  • Create Federation Protocol

$ 𝚙𝚚𝚏𝚘𝚝𝚞𝚋𝚍𝚕 𝚐𝚏𝚎𝚏𝚜𝚋𝚞𝚓𝚙𝚘 𝚚𝚜𝚙𝚞𝚙𝚍𝚙𝚖 𝚍𝚜𝚏𝚋𝚞𝚏 𝚝𝚋𝚗𝚖𝟹 \

  • -𝚗𝚋𝚚𝚚𝚓𝚘𝚑 𝚕𝟹𝚕𝚗𝚋𝚚 \
  • -𝚓𝚎𝚏𝚘𝚞𝚓𝚞𝚣-𝚚𝚜𝚙𝚠𝚓𝚎𝚏𝚜 𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏𝚓𝚎𝚚
slide-20
SLIDE 20

Configure Keystone as Service Provider

  • Install apache shibboleth and generate keys.
  • Edit shibboleth2.xml

○ Entity id of IDP ○ Entity id of SP ○ Metadata URL of Idp

  • Adding the attribute to attribute-map.xml
  • Check /var/log/shibboleth/shibd.log and

/var/log/shibboleth/shibd_warn.log for errors or warnings.

slide-21
SLIDE 21

Configure Keystone as Service Provider

  • Changing the vhost file of keystone.

vi /etc/apache2/sites-available/keystone-wsgi-public.conf

<𝙼𝚙𝚍𝚋𝚞𝚓𝚙𝚘 /𝚃𝚒𝚓𝚌𝚌𝚙𝚖𝚏𝚞𝚒.𝚝𝚝𝚙> 𝚃𝚏𝚞𝙸𝚋𝚘𝚎𝚖𝚏𝚜 𝚝𝚒𝚓𝚌 </𝙼𝚙𝚍𝚋𝚞𝚓𝚙𝚘> <𝙼𝚙𝚍𝚋𝚞𝚓𝚙𝚘 /𝚠𝟺/𝙿𝚃-𝙶𝙵𝙴𝙵𝚂𝙱𝚄𝙹𝙿𝙾/𝚓𝚎𝚏𝚘𝚞𝚓𝚞𝚣_𝚚𝚜𝚙𝚠𝚓𝚎𝚏𝚜𝚝/𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏𝚓𝚎𝚚/𝚚𝚜𝚙𝚞𝚙𝚍𝚙𝚖𝚝/𝚝𝚋𝚗𝚖𝟹/𝚋𝚟𝚞𝚒> 𝚃𝚒𝚓𝚌𝚂𝚏𝚛𝚟𝚏𝚝𝚞𝚃𝚏𝚞𝚞𝚓𝚘𝚑 𝚜𝚏𝚛𝚟𝚓𝚜𝚏𝚃𝚏𝚝𝚝𝚓𝚙𝚘 𝟸 𝙱𝚟𝚞𝚒𝚄𝚣𝚚𝚏 𝚝𝚒𝚓𝚌𝚌𝚙𝚖𝚏𝚞𝚒 𝚃𝚒𝚓𝚌𝙵𝚢𝚚𝚙𝚜𝚞𝙱𝚝𝚝𝚏𝚜𝚞𝚓𝚙𝚘 𝙿𝚐𝚐 𝚂𝚏𝚛𝚟𝚓𝚜𝚏 𝚠𝚋𝚖𝚓𝚎-𝚟𝚝𝚏𝚜 <𝙹𝚐𝚆𝚏𝚜𝚝𝚓𝚙𝚘 < 𝟹.𝟻> 𝚃𝚒𝚓𝚌𝚂𝚏𝚛𝚟𝚓𝚜𝚏𝚃𝚏𝚝𝚝𝚓𝚙𝚘 𝙿𝚘 𝚃𝚒𝚓𝚌𝚂𝚏𝚛𝚟𝚓𝚜𝚏𝙱𝚖𝚖 𝙿𝚘 </𝙹𝚐𝚆𝚏𝚜𝚝𝚓𝚙𝚘> </𝙼𝚙𝚍𝚋𝚞𝚓𝚙𝚘>

slide-22
SLIDE 22

Configure Keystone as Service Provider

  • SP Keystone should know about a federated login.

○ auth method For instance - vi /etc/keystone/keystone.conf

[𝚋𝚟𝚞𝚒] 𝚗𝚏𝚞𝚒𝚙𝚎𝚝 = 𝚚𝚋𝚝𝚝𝚡𝚙𝚜𝚎,𝚞𝚙𝚕𝚏𝚘,𝚝𝚋𝚗𝚖𝟹

slide-23
SLIDE 23

Setting up keystone IDP to keystone SP

  • Creating a Service provider resource in the IDP keystone.

○ auth-url ○ service-provider-url

For instance -

$ 𝚙𝚚𝚏𝚘𝚝𝚞𝚋𝚍𝚕 𝚝𝚏𝚜𝚠𝚓𝚍𝚏 𝚚𝚜𝚙𝚠𝚓𝚎𝚏𝚜 𝚍𝚜𝚏𝚋𝚞𝚏 𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏𝚝𝚚 \

  • -𝚋𝚟𝚞𝚒-𝚟𝚜𝚖 𝚒𝚞𝚞𝚚://𝚝𝚚.𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏.𝚎𝚏𝚗𝚙/𝚓𝚎𝚏𝚘𝚞𝚓𝚞𝚣/𝚠𝟺/𝙿𝚃-

𝙶𝙵𝙴𝙵𝚂𝙱𝚄𝙹𝙿𝙾/𝚓𝚎𝚏𝚘𝚞𝚓𝚞𝚣_𝚚𝚜𝚙𝚠𝚓𝚎𝚏𝚜𝚝/𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏𝚓𝚎𝚚/𝚚𝚜𝚙𝚞𝚙𝚍𝚙𝚖𝚝/𝚝𝚋𝚗𝚖𝟹/𝚋𝚟𝚞𝚒 \

  • -𝚝𝚏𝚜𝚠𝚓𝚍𝚏-𝚚𝚜𝚙𝚠𝚓𝚎𝚏𝚜-𝚟𝚜𝚖 𝚒𝚞𝚞𝚚://𝚝𝚚.𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏.𝚎𝚏𝚗𝚙/𝚃𝚒𝚓𝚌𝚌𝚙𝚖𝚏𝚞𝚒.

𝚝𝚝𝚙/𝚃𝙱𝙽𝙼𝟹/𝙵𝙳𝚀

slide-24
SLIDE 24

Setting up keystone IDP to keystone SP

  • To view the the urn:oasis:names:tc:SAML:2.0:bindings:PAOS binding for the

Assertion Consumer Service of the Service Provider

$ 𝚍𝚟𝚜𝚖 -𝚝 𝚒𝚞𝚞𝚚://𝚝𝚚.𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏.𝚎𝚏𝚗𝚙/𝚃𝚒𝚓𝚌𝚌𝚙𝚖𝚏𝚞𝚒.𝚝𝚝𝚙/𝙽𝚏𝚞𝚋𝚎𝚋𝚞𝚋 | 𝚑𝚜𝚏𝚚 𝚟𝚜𝚘:𝚙𝚋𝚝𝚓𝚝:𝚘𝚋𝚗𝚏𝚝:𝚞𝚍:𝚃𝙱𝙽𝙼:𝟹.0:𝚌𝚓𝚘𝚎𝚓𝚘𝚑𝚝:𝚀𝙱𝙿𝚃 <𝚗𝚎:𝙱𝚝𝚝𝚏𝚜𝚞𝚓𝚙𝚘𝙳𝚙𝚘𝚝𝚟𝚗𝚏𝚜𝚃𝚏𝚜𝚠𝚓𝚍𝚏 𝙲𝚓𝚘𝚎𝚓𝚘𝚑="𝚟𝚜𝚘:𝚙𝚋𝚝𝚓𝚝:𝚘𝚋𝚗𝚏𝚝:𝚞𝚍:𝚃𝙱𝙽𝙼: 𝟹.0:𝚌𝚓𝚘𝚎𝚓𝚘𝚑𝚝:𝚀𝙱𝙿𝚃" 𝙼𝚙𝚍𝚋𝚞𝚓𝚙𝚘="𝚒𝚞𝚞𝚚://𝚝𝚚.𝚕𝚏𝚣𝚝𝚞𝚙𝚘𝚏.𝚎𝚏𝚗𝚙/𝚃𝚒𝚓𝚌𝚌𝚙𝚖𝚏𝚞𝚒. 𝚝𝚝𝚙/𝚃𝙱𝙽𝙼𝟹/𝙵𝙳𝚀" 𝚓𝚘𝚎𝚏𝚢="𝟻"/>

slide-25
SLIDE 25

Testing with CLI

  • CLI to issue token for project admin on SP through IDP

$ openstack \

  • -os-service-provider keystonesp \
  • -os-remote-project-name demo \
  • -os-remote-project-domain-name Default \

token issue

slide-26
SLIDE 26

Demonstration

slide-27
SLIDE 27

Setup k2k Federation

https://docs.openstack.org/keystone/latest/admin/federation/federat ed_identity.html

slide-28
SLIDE 28

What's next?

  • Keystone as a first-class identity provider
  • Keystone as an identity provider proxy
  • Groups as attributes in keystone-generated assertions
  • Application credentials enhanced for use on Edge sites
  • Native SAML
slide-29
SLIDE 29
slide-30
SLIDE 30

Questions?