Beyond OpenStack for IT, NFV is another killer use case. Horizontally, multiple NGPoPs (OpenStack deployments) are geographically distributed but should be centrally controlled. Vertically, users of cross-layer services like bare-metal, IaaS, VNF and/or SDN should be federated. Hence, Identity and Access Management (IAM) module becomes a key issue.
The proposed solution enables dynamic policy reconfiguration instead of static OSLO policy.json and enables external PDP to manage multiple OpenStack deployments for NFV NGPoPs. The organization of this PDP contains a set of upstreamed hooks to OpenStack/OSLO, OpenDaylight/AAA, and possibly OpenContrail in the future. It also proposed a reference implementation of the security engine policy called Moon hosted by the OPNFV community.
Orange as major Telco operator is planning the deployment in production of this “external PDP mechanism” in 2019 for its first VNFs, in collaboration with the upstream community and Red Hat.
This presentation shows a new way to use OpenStack for Telco which is radically different from exiting use case of public and private clouds (IT centric). Instead of using one OpenStack to manage multiple data centers, NFV requires an independent security module to coordinate multiple OpenStack instances which are geographically distributed. The synchronization of user accounts and permissions among this OpenStack instances becomes a technical challenge. The proposition shows an “external PDP” approach as the “authorizations source of Truth” for the individual OpenStack deployments. The proposed policy engine also enables the dynamic reconfiguration of security policy. This drastically facilitates the administration of OpenStack by allowing adapting user permissions at runtime to satisfy ever changing business needs.