Icehouse, the 9th release of OpenStack, is out! Thanks to the 1200+ contributors.    OpenStack Icehouse

OpenStack Summit Presentations


"A Multi-tenant RBAC Federated system for OpenStack"

By: Dinkar Sitaram

OpenStack is extensively used in industry today. With increasing collaborations both within a single organization and between several, resource sharing is a natural extension to the existing implementation of isolated tenants (ie allow resource sharing between tenants within an organization). Furthermore, the access

and resource sharing between different cloud installations is also unattended to. We propose the addition of a service which handles both these requirements ie, resource sharing between tenants within a single organization and also tenants between different cloud installations. Our proposal (which will be submitted as a blueprint and is under implementation) aims to provide a multi-tenant federated access to resources within OpenStack. A federation is an association comprising any number of service providers and identity providers, in this scenario would mean different openstack clouds/installations. Multi-tenancy support is defined as the capability of a single cloud instance to provide its service to several customers/tenants simultaneously which in this case not only refers to the mere existence of several tenants but also resource sharing capability between the tenants within the same cloud instance or other cloud instances due to the concept of federated access.

This brings forth the need for improved Identity Management and Policy Enforcement which doesn’t rework existing deployments but rather extends them to the the required functionality seamlessly. We model the functionality of this service and the required extensions to be made to accommodate it. The crux of our model lies in the way we represent each user and his capabilities. The current system uses a 3-Tuple mechanism of (Subject, Privilege, Object) to represent users and the resources they are allowed access to. We plan to extend this to a 5-Tuple mechanism (Issuer, role(Issuer,roleName), Privilege, Interface, Object) so as to incorporate RBAC and provide access to remote resources outside of the same tenant and cloud installation.

Our talk will deal with a detailed look into this proposal. 

 


Watch Presentation