Opening Up OpenStack’s Identity Service

OpenStack is a relatively new open source cloud computing project. It has rapidly become very popular since its first release on 21st October 2010. It has thousands of members, comprising technologists, developers, researchers, and cloud computing experts from 87 countries and more than 140 organisations. Despite is openness until the University of Kent started to work with OpenStack, its Keystone identity service had no federated identity management capabilities, and all user accounts and passwords had to be stored in Keystone, usually in a backend LDAP directory. This talk will describe the way that protocol independent federated access has been integrated into the core release of Keystone

Authorization Policy Federation in Heterogeneous Multicloud Environments

Current Infrastructure as a Service (IaaS) cloud platforms have their own authorisation system, containing different access control policies and models. Clients with accounts in multiple cloud providers struggle to manage their rules in order to provide a homogeneous access control experience to users. This work proposes a solution: an Authorisation Policy Federation (APF) of heterogeneous cloud accounts. These federated accounts share a centrally managed policy written in Disjunctive Normal Form (DNF) using a cloud-independent ontology. This shared abstract policy can be translated to local cloud formats, and back again. Prototypes were implemented for OpenStack and Amazon Web Services (AWS) cloud formats, and rules were successfully translated with a Level of Semantic Equivalence (LSE) higher than 80