Authentication in OpenStack

Similar documents
CMDBuild Authentication (file auth.conf)

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

Lync SHIELD Product Suite

Axway API Gateway. Version 7.4.1

Building Secure Applications. James Tedrick

The HTTP Plug-in. Table of contents

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?

Novell LDAP Proxy Server

WWPass External Authentication Solution for IBM Security Access Manager 8.0

An Insight into Cookie Security

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Guide to Web Hosting in CIS. Contents. Information for website administrators. ITEE IT Support

Installation and configuration guide

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Design and Implementation of an IP based authentication mechanism for Open Source Proxy Servers in Interception Mode

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Setup Guide Access Manager 3.2 SP3

TIBCO Spotfire Platform IT Brief

Deploying F5 with Microsoft Active Directory Federation Services

How To Use Netscaler As An Afs Proxy

Easy CramBible Lab DEMO ONLY VERSION Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Application of the PAPI authn and authz system to the TJ-II Remote Participation environment. Madrid, 21 March 2003

Security IIS Service Lesson 6

<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Deploying F5 to Replace Microsoft TMG or ISA Server

Web Application Firewall

Agenda. How to configure

Flowpack Single sign-on Server Documentation

Server-side Development using Python and SQL

DIGIPASS Authentication for GajShield GS Series

Network Technologies

Network Virtualization Network Admission Control Deployment Guide

Revolution R Enterprise DeployR 7.1 Enterprise Security Guide. Authentication, Authorization, and Access Controls

Setup Guide Access Manager Appliance 3.2 SP3

BusinessObjects Enterprise XI Release 2

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

POP3 Connector for Exchange - Configuration

Deploying RSA ClearTrust with the FirePass controller

Configuration Worksheets for Oracle WebCenter Ensemble 10.3

Administering Jive for Outlook

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Configuring IBM HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on IBM WebSphere Application Server

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

Enabling single sign-on for Cognos 8/10 with Active Directory

<Insert Picture Here> Oracle Web Services Manager (WSM)

FileCloud Security FAQ

Configuring Claims Based FBA with Active Directory store 1

Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)

LockoutGuard v1.2 Documentation

NSi Mobile Installation Guide. Version 6.2

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

Active Directory Integration

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

Use Enterprise SSO as the Credential Server for Protected Sites

Implementing Reverse Proxy Using Squid. Prepared By Visolve Squid Team

XIA Configuration Server

How to configure the Panda GateDefender Performa explicit proxy in a Local User Database or in a LDAP server

Authenticate and authorize API with Apigility. by Enrico Zimuel Software Engineer Apigility and ZF2 Team

Load Balancing Microsoft AD FS. Deployment Guide

How to configure HTTPS proxying in Zorp 6

Creating a Secure Web Service In Informatica Data Services

Deploying F5 with Microsoft Forefront Threat Management Gateway 2010

Web Application Proxy

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

c360 Portal Installation Guide

Interwise Connect. Working with Reverse Proxy Version 7.x

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

This section contains information intended to help plan for SocialMiner installation and deployment.

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007

Forward proxy server vs reverse proxy server

Okta/Dropbox Active Directory Integration Guide

HTTPS HTTP. ProxySG Web Server. Client. ProxySG TechBrief Reverse Proxy with SSL. 1 Technical Brief

White Paper March 1, Integrating AR System with Single Sign-On (SSO) authentication systems

OpenLDAP Oracle Enterprise Gateway Integration Guide

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

1 of 24 7/26/2011 2:48 PM

Copyright: WhosOnLocation Limited

SharePoint 2013 Logical Architecture

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Spectrum Technology Platform

DIGIPASS Authentication for Check Point Security Gateways

Perceptive Experience Single Sign-On Solutions

SSO Plugin. Release notes. J System Solutions. Version 3.6

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

A Java proxy for MS SQL Server Reporting Services

MODELLING OF INTELLIGENCE IN INTERNET TELEPHONE SYSTEM

Configuring Single Sign-on for WebVPN

Centralizing Windows Events with Event Forwarding

Copyright Pivotal Software Inc, of 10

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH CITRIX PRESENTATION SERVER 3.0 AND 4.5

Transcription:

Draft Draft entication in OpenStack Jorge L Williams <jorge.williams@rackspace.com> Khaled Hussein <khaled.hussein@rackspace.com> Ziad N Sawalha <ziad.sawalha@rackspace.com> Abstract The purpose of this blueprint is to define a standard for authentication in OpenStack that enables services to support multiple authentication protocols in a pluggable manner. By providing support for authentication via pluggable authentication components, this standard allows OpenStack services to be integrated easily into existing deployment environments. It also provides a path by which to implement support for emerging authentication standards such as OpenID. The standard is not an authentication system onto itself, but rather a protocol by which authentication systems may be integrated with OpenStack services. Table of Contents Rationale and Goals... 1 Specification Overview... 1 Deployment Strategies... 2 Exchanging User Information... 3 Reverse Proxy entication... 3 Handling Direct Client Connections... 4 Using Multiple entication Components... 5 The Default Component... 5 Questions and Answers... 8 References... 9 Rationale and Goals Currently, OpenStack does not support a unified authentication mechanism for its storage and compute services. This complicates the deployment of these services in a single environment and prevents OpenStack from easily integrating with existing authentication and identity management systems. To address this issue, we propose a standard for authentication that allows support for multiple authentication protocols via pluggable authentication components. In this blueprint, we define the responsibilities of authentication components. We describe how these interact with underlying OpenStack services and how existing services can be modified to take advantage of pluggable authentication. Finally, we illustrate an implementation of a simple authentication component. The goal is to allow OpenStack services to be integrated easily into existing deployment environments and to provide a path by which to implement support for emerging authentication standards such as OpenID. Specification Overview entication is the process of determining that users are who they say they are. An authentication protocol may obtain user information via a variety of back-end services such as identity management systems, LDAP directories, relational databases, and flat files; current authentication protocols include 1

HTTP Basic, Digest Access, public key, token, etc. An authentication component is a software module that implements an authentication protocol. At a high level, an authentication component is simply a reverse proxy that intercepts HTTP calls from clients. If the authentication component verifies the user's identity, the authentication component extends the call with information about the current user and forwards the call to the OpenStack service. Otherwise, the message is rejected before it gets to the service. This is illustrated in Figure 1. Note that, in this blueprint, we define interactions between the authentication component and the OpenStack service. Interactions between the client and the authentication component are defined only for exceptional cases. For example, we define the message that should be returned when the OpenStack service is down. Other interactions, however, are defined by the underlying authentication protocol and the OpenStack service and are outside of the scope of this blueprint. Figure 1. An entication Component Re je ct Un a u th e n tica te d Re q u e sts F or w a r d Au th e n tica te d Re q u e sts Deployment Strategies An authentication component may be integrated directly into the service implementation, or it may be deployed separately as an HTTP reverse proxy. This is illustrated in Figure 2 showing both approaches to authetication, labeled Option (a) and Option (b). Figure 2. entication Component Deployments Options (a) (b) Option (a) The authentication component is integrated into the service implementation; Option (b) The authentication component is deployed in a separate node. In Option (a), the component is integrated into the service implementation. In this case, communication between the authentication component and the service can be efficiently implemented via a method call. 2

In Option (b), the component is deployed separately and communication between the service and the component involves an HTTP request. In both cases, unauthenticated requests are filtered before they reach the service. Each approach offers some benefits. Option (a) offers low latency and ease of initial implementation, making it possibly most appropriate as a starting point for simple configurations. Option (b) offers several kep advantages that may be of a particular value in complex and dynamic configurations. It offers the ability to scale horizontally in cases where authentication is computationally expensive, such as when verifying digital signatures. Option (b) also allows authentication components to be written in different programming languages. Finally, Option (b) allows multiple authentication components to be deployed in front of the same service. OpenStack services MUST support both embedded (Option (a)) and external (Option (b)) deployment strategies. Individual authentication components MAY support either strategy or they MAY support both strategies. In order to support option (a), authentication components written in the Python programming language MUST be written as middleware components in accordance to the Web Server Gateway Interface (WSGI) standard [1]. Additionally, services MUST support the ability to swap between different embedded or external authentication components via configuration options. Exchanging User Information If a request is successfully authenticated, the authentication component MUST extend the request by adding an X-orization header. The header MUST be formatted as illustrated in Example 1. Example 1. An X-orization Header X-orization: Proxy JoeUser Here, Proxy denotes that the authentication occurred via a proxy (in this case authentication component) and JoeUser is the name of the user who issued the request.. Note We are considering using an orization header rather than an X-orization thereby following normal HTTP semantics. There are some cases, however, where multiple orization headers need to be transmitted in a single request. We want to assure ourselves that this will not break common clients before we recommend the approach. entication components MAY extend the request with additional information. For example, an authentication system may add additional headers or modify the target URI to pass authentication information to the back-end service. Additionally, an authentication component MAY strip sensitive information from the request a plain text password, for example; That said, an authentication component SHOULD pass the majority of the request unmodified. Reverse Proxy entication It is important for an OpenStack service to verify that it is receiving requests from a trusted authentication component. This is particularly important in cases where the authentication component and the OpenStack service are deployed separately. In order to trust incoming requests, the OpenStack service should therefore authenticate the authentication component. To avoid confusion, we call this reverse proxy authentication since in this case the authentication component is acting as an HTTP reverse proxy. 3

Any HTTP-based authentication scheme may be used for reverse proxy authentication; however, all OpenStack services and all authentication components MUST support HTTP Basic entication as defined in RFC 2617 [2]. Whether or not reverse proxy authentication is required is strictly a deployment concern. For example, an operations team may opt to utilize firewall rules instead of an authentication protocol to verify the integrity of incoming request. Because of this, both OpenStack services and authentication components MUST also allow for unauthenticated communication. In cases where reverse proxy authentication is used, the authorization component may receive an HTTP 401 authentication error or an HTTP 403 authorization error. The authentication component MUST NOT return these errors to the client application. Instead, the component MUST return a 500 internal error. This is illustrated in Figure 3. The component SHOULD format the error in a manner that does not break the service contract defined by the OpenStack service. Figure 3. Reverse Proxy entication Au th or iza tion : Ba sic VTp Q 5 0 0 In te r n a l Er r or Au th or iza tion : Ba sic d Tp w X-Au th or iza tion : Pr oxy U 4 0 3 Pr oxy Un a u th or ize d Handling Direct Client Connections Requests from the authentication component to an OpenStack service MUST contain an X- orization header. If the header is missing, and reverse proxy authentication fails or is switched off, the OpenStack service MAY assume that the request is coming directly from a client application. In this case, the OpenStack service MUST redirect the request to the authentication component by issuing an HTTP 305 User Proxy redirect. This is illustrated in Figure 4. Note that the redirect response MUST include a Location header specifying the authentication component's URL as shown in Example 2. Figure 4. Component Redirect Re q u e st S e r vice Dir e ctly 3 0 5 Use Pr oxy To Re d ir e ct to Au th Example 2. Component Redirect Response HTTP/1.1 305 Use Proxy Date: Thu, 28 Oct 2010 07:41:16 GMT Location: http://sample.auth.openstack.com/path/to/resource 4

Using Multiple entication Components There are some use cases when a service provider might want to consider using multiple authentication components for different purposes. For instance, a service provider may have one authentication scheme to authenticate the users of the service and another one to authenticate the administrators or operations personnel that maintain the service. For such scenarios, we propose using a Mapper as illustrated in Figure 5. Figure 5. Multiple entication Components Mapper 1 2 3 At a high level, a Mapper is a simple reverse proxy that intercepts HTTP calls from clients and routes the request to the appropriate authentication component. A Mapper can make the routing decisions based on a number of routing rules that map a resource to a specific authentication component. For example, a request URI may determine whether a call should be authenticated via one authentication component or another. Note that neither the authentication component nor the OpenStack service need be aware of the mapper. Any external authentication component can be used along side others. Mappers may provide a means by which to offer support for anonymous or guest access to a subset of service resources. Finally, note also that a mapper may be implemented via a traditional reverse proxy server such as Pound or Zeus. The Default Component Individual services MUST be distributed with a simple integrated authentication component by default. This default component MUST offer support for HTTP Basic Access entication where usernames and passwords are stored in a flat configuration file under /etc/openstack/users.ini. The format of the file is illustrated in Example 3. The file associates a username with a SHA-1 digest of the user's password. The SHA-1 digest is used to avoid exposing the password as plain text. If the file is missing the default component MUST reject all requests. We provide a reference implementation of a default authentication component, and describe it in some detail below. 5

Example 3. Example users.ini [users] user:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 user2:2aa60a8ff7fcd473d321e0146afd9e26df395147 user3:1119cfd37ee247357e034a08d844eea25f6fd20f... There are a number of benefits to standardizing on a simple auth component for all OpenStack services: 1. Providing an easy to configure embedded authentication component by default, lowers barriers to the deployment of individual services. This is especially important to developers who may want deploy OpenStack services on their own machines. 2. Since there is no direct dependency to an external authentication system, OpenStack services can be deployed individually without the need to stand up and configure additional services. 3. Having a standard authentication component that all services share promotes a separation of concerns. That is, as a community we are explicitly stating that services should not develop their own authentication mechanisms. Additional authentication components may be developed, of course, but these components should not be intimately coupled to any one particular service. Note that services should maintain support for option (b), even as we require that they ship with a simple embedded authentication component by default. One way to achieve this is to provide a method that allows the disabling of the default authentication component via configuration. This is illustrated in Figure 6. Here, requests are sent directly to the OpenStack service when the default authentication component is disabled. Figure 6. Disabled Embedded Component Implementation Details The reference implementation is composed of a number of files: authcomp.py The script contains an implementation of a default authentication component. The authcomp.py script is capable of running as 6

a stand alone reverse proxy to illustrate a distributed deployment strategy. service.py embedded.py helper.py Provides an example of a very simple OpenStack service that supports both, direct integration and distributed deployment of an authentication component as defined by this blueprint. A script that illustrates how the authentication component and example service defined above can be integrated into a single application. This script contains utility code shared by multiple scripts in the reference implementation. For the sake of brevity we will examine only the relevant portions of the authcomp.py and service.py scripts. Example 4. enticating a request in authcomp.py def call (self, environ, start_response): if not environ.get("http_authorization"): # The user needs to be authenticated. We reject the request and # return 401 before the (MyApp) receives the request. return respond401(environ, start_response) else: # Let's authenticate the user against the users.ini file. import base64 auth_header = environ['http_authorization'] auth_type, encoded_creds = auth_header.split(none, 1) username, password = base64.b64decode(encoded_creds).split(':', 1) if self.validatecreds(username, password): # The Component has to authenticate itself to the service. environ['http_authorization'] = "Basic dtpw" # The Component passes the username to the environ['http_x_authorization'] = "Proxy %s" % username return self.app(environ, start_response) else: return respond401(environ, start_response) Every request that flows through the authentication component is checked for authentication credentials. The request is rejected if the credentials are missing. Next, the credentials are validated against the users.ini file. Note that this involves taking a SHA-1 of the input password and comparing it against the digest in the users.ini file. If the credentials validate, the authentication component extends the request by adding it's own authorization credentials. It also adds the X-orization header which contains the username of the user who initiated the request. The authentication component then forwards the request to the OpenStack service. If the user's credentials don't validate, the request is rejected before it is sent to the OpenStack service. 7

Example 5. Verifying and service a request in service.py def call (self, environ, start_response): if not environ.get("http_x_authorization"): return respond305(environ, start_response, \ createurl(environ, self.proxy_host, self.proxy_port)) # Now let's authenticate the Component itself if not environ.get("http_authorization"): return respond401(environ, start_response) import base64 auth_header = environ['http_authorization'] auth_type, encoded_creds = auth_header.split(none, 1) # Not very secure, but you get the picture if str(encoded_creds)!= "dtpw": return respond401(environ, start_response, False) else: # Here is where the service processes the request response_headers = [('content-type', 'text/html')] response_status = '200 OK' user_auth_header = environ["http_x_authorization"] auth_type, username = user_auth_header.split(none, 1) response_body = "Welcome %s to OpenStack <BR>" % username start_response(response_status, response_headers) return [response_body] The service verifies that the X-orization is present in the request. If it isn't it redirects the client via a 305 to the authentication component. If reverse proxy authentication is enabled, the service validates the credentials sent by the authentication service. If these are missing, or don't match, the service issues a 401 error. Otherwise, the service responds to the request. In this case, the service extracts the username from the X-orization header. Questions and Answers 1. Why not have the authentication component pass authentication failures back to the service instead of rejecting requests up front? The content and format of an authentication failed message is determined by the authentication scheme (or protocol). In order for the service to respond appropriately it would have to be aware of the authentication schemes it's participating in this defeats the concept of pluggable authentication components. 2. Why require support for deploying authentication components in separate nodes? The deployment strategy is very flexible. It allows for authentication components to be horizontally scalable. It allows for components to be written in different languages. Finally, it allows different authentication components to be deployed simultaneously as described above. 8

References [1] Phillip J Eby. Python Web Server Gateway Interface v1.0. http://www.python.org/dev/peps/pep-0333/. [2] J Franks. P Hallam-Baker. J Hostetler. S Lawrence. P Leach. A Luotonen. L Stewart. HTTP entication: Basic and Digest Access entication. http://tools.ietf.org/html/rfc2617. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information