Addressing access control in the enterprise is a hugh challange, as a cloud architect and cloud operator we need to take into account the complexities of exisiting enterprise authentication standards and requirements. The maturity of Openstack authentication mechanisms allows for limited controls and auditing that often dont meet the percieved needs of the enterprise.
We will discussion the short falls and challenges that exisit in Openstack today and what is being done to through blueprints and proposed patches to remedy the situation
Finally we will present a possible solution to the problem, and include a demo of a working RBAC solution for the enterprise.
During the talk we will cover the the following;
- What are the requirments that we are typically seeing in enterprises?
- Where does Openstack fall short today?
- What is being done, a discussion of blueprints and patches to review
- What RBAC is currently lacking
- Native auditing capabilities
- Programmatically being able to modify rules (API)
- Lack of synchronization capabilities
- Poor Format for easy readability
- Multiple locations causes ambiguity and extra complexity
- Causes Separation of duties issues
- Alternatives to policy.json
- Issues with alternatives
- Conclusion: We can make it work but must give up certain capabilities in order to fit with Keystone's model. Is it time to address this model? Or just continue searching for an RBAC model that adopts Keystone's architecture model?
- A proposed RBAC solution and demo.