KeyRock and Wilma - Openstack-based Identity Management in FIWARE
-
Upload
alvaro-alonso-gonzalez -
Category
Technology
-
view
122 -
download
0
Transcript of KeyRock and Wilma - Openstack-based Identity Management in FIWARE
![Page 1: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/1.jpg)
KeyRock and WilmaOpenstack-based Identity Management in FIWARE
Joaquín Salvachúa - Álvaro [email protected] - [email protected]
![Page 2: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/2.jpg)
2
FIWARE
FIWARE is an innovative, open cloud-based infrastructure for cost-effective creation and delivery of Future Internet applications and services, at a scale not seen before.
These APIs are public and royalty-free, driven by the development of an open source reference implementation which accelerates the availability of commercial products and services based on FIWARE technologies.
More in • https://www.fiware.org• /https://www.fiware.org/formation
![Page 3: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/3.jpg)
3
FIWARE Generic Enablers
Generic Enablers (GE) offer a number of general-purpose functions, offered through well-defined APIs, easing development of smart applications in multiple sectors. They will set the foundations of the architecture associated to your application.
Specifications of FIWARE GE APIs are public and royalty-free. You can search for the open source reference implementation, as well as alternative implementations, of each FIWARE GE in the FIWARE Reference Architecture.
![Page 4: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/4.jpg)
4
![Page 6: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/6.jpg)
6
FIWARE Lab
http://infographic.lab.fiware.org/
![Page 7: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/7.jpg)
7
FIWARE Lab & Cloud
Region 1
OS Service
Region 2
OS Service
Region n
OS Service
Cloud Portal Keyrock
DB
getCatalogue
![Page 8: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/8.jpg)
8
FIWARE Lab & Cloud
Region 1
OS Service
Region 2
OS Service
Region n
OS Service
Cloud Portal Keyrock
DBrequest (token)
![Page 9: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/9.jpg)
9
FIWARE Lab & Cloud
Region 1
OS Service
Region 2
OS Service
Region n
OS Service
Cloud Portal Keyrock
DBvalidate (token):service credentials
![Page 10: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/10.jpg)
10
FIWARE Lab & Cloud
Region 1
OS Service
Region 2
OS Service
Region n
OS Service
Cloud Portal
Keyrock 2
DB
Keyrock 1HAProx
y
![Page 11: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/11.jpg)
Keyrock architecture
Horizon• Fron-end component
• User views
Keystone• Back-end component
• Resources management
• Connection to data base
Horizon
Keystone
DB
![Page 12: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/12.jpg)
Horizon extensions
Openstack Horizon
FIWARE UI
AuthZForce Driver
OAuth2 Driver
FIWARE Accounts
Admin tools
reCaptcha
![Page 13: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/13.jpg)
Keystone extensions
Openstack Keystone
Keystone APISCIM 2.0
User Registration
Two factor auth
OAuth2
![Page 14: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/14.jpg)
14
OAuth2
Cloud PortalOAuth2
Keyrock
![Page 15: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/15.jpg)
15
OAuth2
Cloud PortalOAuth2
Keyrock
Keystone TOKEN TOKEN
![Page 16: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/16.jpg)
Google Account
16
![Page 17: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/17.jpg)
FIWARE Account
17
Account
![Page 18: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/18.jpg)
FIWARE Account
Login with
![Page 19: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/19.jpg)
19
OAuth2External applications
Cloud Portal
Keyrock
App 1 App 2
OAuth2OAuth2OAuth2
![Page 20: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/20.jpg)
20
Token validation
Cloud PortalOAuth2
Keyrock
Keystone TOKEN
Region 1
OS Service
Keystone MiddlewareTOKEN Validation
![Page 21: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/21.jpg)
21
Token validationExternal Applications
AppOAuth2
Keyrock
Keystone TOKEN
Backend service
WilmaTOKEN Validation
![Page 22: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/22.jpg)
Wilma
Backend ServiceREST API
REST Client
Other services
HTTP request
Web App
User 1 User 2
![Page 23: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/23.jpg)
Wilma
Backend ServiceREST API
REST Client
Other services
HTTP request + TOKEN
Web App
Wilma
User 1 User 2
![Page 24: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/24.jpg)
Authentication
Backend ServiceREST API
HTTP request + TOKEN
Wilma
User
Keyrock GE
TOKEN
OK + user info
![Page 25: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/25.jpg)
Authorization
Backend ServiceREST API
HTTP request + TOKEN
Wilma
User
Keyrock GE
OK + user info
TOKEN
AuthZForce GE
roles + verb + path
OK
![Page 26: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/26.jpg)
26
AuthZForce
The other part in Policy Management
Wilma PEP• Policy Enforcement Point
AuthZForce PAP & PDP• Policy Administration Point• Policy Decision Point
![Page 27: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/27.jpg)
FIWARE Lab Accounts
Basic• Manage organizations• Register applications• Use Cloud if other users authorize him
Trial• Cloud 14 days Trial period Cloud Project• Spain2 region
Community• Cloud during 9 months Cloud Project• Assigned region
![Page 28: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/28.jpg)
FIWARE Lab Accounts
![Page 29: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/29.jpg)
29
Private Regions Support
Goal• Support to private regions that wants to offer part of their Cloud resources to
FIWARE Lab users
![Page 30: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/30.jpg)
The scenario
• FL user represent a user with a registered account in FIWARE Lab
• In FIWARE Lab environment, FL OS Services represent the services of all the Federated nodes• Private Cloud is a Commercial Cloud Provider that wants to offer some of its resources (part of Local OS
Services) to be available in FIWARE Lab as a new node.
• Private Cloud has their own users registered in its local Keystone (Ext User is one of them) and using Cloud resources deployed in Local OS Services
Keyrock
Cloud Portal
FIWARE Lab
FL OS
Services
FL User
Keystone
Horizon
Private Cloud
Local OS Services
Ext User
![Page 31: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/31.jpg)
Requirements
• Ext User can continue using his deployed resources in Local OS Services using Horizon
• FL User (if he has the correct rights) can deploy resources in Private Cloud Local OS Services using Cloud Portal
• In Cloud Portal, Private Cloud node appears as a new node. It is accessible for FIWARE Lab users with quotas in that node (community users assigned to that node)
• Private Cloud infrastructure owners can assign quotas of Local OS Services to FIWARE Lab users (to their cloud projects)
• FL User can continue using FL OS Services as before.
• If a Ext User wants to use FIWARE Lab nodes resources, he has to create an account in FIWARE Lab.
Keyrock
Cloud Portal
FIWARE Lab
FL OS
Services
FL User
Keystone
Horizon
Private Cloud
Local OS Services
Ext User
![Page 32: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/32.jpg)
Solution – FL User using FIWARE Lab resources
Everything works as always
1. Cloud Portal authenticates the user in Keyrock
2. Cloud Portal sends a request to an OS Service
3. OS Service validates the token with Keyrock
Keyrock
Cloud Portal
FIWARE Lab
FL OS
Services
FL User
Keystone
Horizon
Private Cloud
Local OS Services
Ext User
12
3
![Page 33: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/33.jpg)
Solution – Ext User using Local resources
Everything works as always
1. Horizon authenticates the user in Keystone
2. Horizon sends a request to an OS Service
3. OS Service validates the token with Keystone
Keyrock
Cloud Portal
FIWARE Lab
FL OS
Services
FL User
Keystone
Horizon
Private Cloud
Local OS Services
Ext User
12
3
![Page 34: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/34.jpg)
Solution – FL User using Private Cloud resources
1. Cloud Portal authenticates the user in Keyrock
2. Cloud Portal sends a request to a Private Cloud OS Service
3. Private Cloud OS Service tries to validate the token in Keystone
4. As the validation doesn’t success (the token is not stored in Keystone), Keystone validates it with Keyrock acting as a gateway and sending the response to Private Cloud OS Service
*. If the validation success, Keystone stores the token locally (in cache), so the next times the step 4 is not required.
Keyrock
Cloud Portal
FIWARE Lab
FL OS
Services
FL User
Keystone
Horizon
Private Cloud
Local OS Services
Ext User
1
2
4
3
Token driver
![Page 35: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/35.jpg)
IoT Support
![Page 36: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/36.jpg)
Context Broker
Sensor authentication
update / query
Context Producer / Consumer
PEP Proxy
Keyrock GE
Token creation
Token validation
![Page 37: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/37.jpg)
37
Conclusions
Evolution and integration between OpenStack and a IDM.
Evolution in Open Source (development by UPM in the proyect).
Identity solution widely used among all the startups ( Most used GE ).
Goal to have it integrated in different susteniable ecosystems: • Full integration with OpenStack.
![Page 38: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/38.jpg)
38
Important Links
FIWARE• https://www.fiware.org/
FIWARE Lab• https://account.lab.fiware.org/
Keyrock• http://catalogue.fiware.org/enablers/identity-management-keyrock
Wilma• http://catalogue.fiware.org/enablers/pep-proxy-wilma
AuthZForce• http://catalogue.fiware.org/enablers/authorization-pdp-authzforce
![Page 39: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/39.jpg)
39
Opensource projects
Keyrock• https://github.com/ging/fiware-idm• Horizon fork: https://github.com/ging/horizon• Keystone fork: https://github.com/ging/keystone
Wilma• https://github.com/ging/fiware-pep-proxy
AuthZForce
![Page 40: KeyRock and Wilma - Openstack-based Identity Management in FIWARE](https://reader036.fdocuments.us/reader036/viewer/2022081520/5871e5d31a28ab6a7b8b6f4d/html5/thumbnails/40.jpg)
KeyRock and WilmaOpenstack-based Identity Management in FIWARE
Joaquín Salvachúa - Álvaro [email protected] - [email protected]