Login

EGI Conference 2019

6–8 May 2019
WCW Congress Centre
Europe/Amsterdam timezone

Support

Native OpenID Connect Implementation for OpenStack Clouds

6 May 2019, 16:45
15m
VK1,2 SURFsara (WCW Congress Centre)

VK1,2 SURFsara

WCW Congress Centre

Science Park 123 1098 XG Amsterdam

Speakers

Ms Aida Palacio (IFCA-UC) Fernando Aguilar (CSIC)

Description

The EGI Federated Cloud, continuing with the Grid AAI, based its initial authentication and authorization mechanisms on the usage of X.509 certificates and VOMS proxies. Although these technologies have made possible the initial usage and movement into production of the Federated Cloud as an Infrastructure as a Service cloud, it has also been shown to be an obstacle for the integration of additional components, such as Platform and Software as a Service components or simply web portals. Moreover, it is also perceived as a cumbersome authentication mechanism for external users willing to adopt the EGI Federated Cloud that is not used with the X.509 and VOMS infrastructures. Nowadays, EGI.eu is transitioning its Authentication and Authorization infrastructure from X.509 certificates and proxies towards the use of the EGI Check-In and the OpenID Connect standard. The most widely used Cloud Management Framework in the EGI Federated Cloud is OpenStack, an open source cloud software system whose development is community driven. The Identity component of the OpenStack cloud distribution (code named Keystone) is a REST service that leverages the Apache HTTP server and a 3rd party module named “mod_auth_openid” to provide OpenID Connect authentication to an OpenStack Cloud. Due to the current status of these components, the OIDC standard is not purely implemented and this makes impossible to configure two different providers at a single resource center to be used from command line tools. This project is currently implementing a keystone plugin to enable Open ID configurations in a standard-manner, which will also make possible to consume Oauth 2.0 tokens and make requests to the corresponding Oauth 2.0 introspection endpoints. Furthermore, it will solve the limitation to configure only one provider at a single resource. The proposed presentation will show the approach to design and implement the plugin based on the Open ID Connect standard to work with keystone.
Type of abstract Presentation

Primary author

Dr Alvaro Lopez Garcia (CSIC)

Co-authors

Ms Aida Palacio (IFCA-UC) Fernando Aguilar (CSIC)

Presentation materials

Powered by Indico v3.2.7