Keystone is the gatekeeper for OpenStack and allows authentication to all OpenStack services.
Keystone:
- Is the single point of authentication for all OpenStack services
- Offers SSO to OpenStack services
- Is the common API layer on top of various authentication protocols
- Reduces exposure of credentials
Basically:
Users identity credentials are sent to the LDAP server that then confirms the user ID and associated roles. Services can also authenticate with Keystone and act on a user's behalf. This presents different problems that can be mitigated by securing cached credentials, limiting the scope of this delegation, expiring tokens and direct management of Keystone and OpenStack.
- User authenticates by sending credentials --> Keystone
- Keystone sends a token once authenticated --> User
- Keystone shares token --> OpenStack service
- Service validates identity of user via token
Of course, as with any software, Keystone has an attack surface that opens it up to spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privileges. Newstadt suggests "Supply chain management":
Download --> build --> deploy --> patchThe key is the last step to ensure that the software deployed is free of vulnerabilities.
There has also been considerable interest in using industry standards including SAML, OpenID and OAUTH because they provide SSO, improved integration, control over user credentials and a unified user experience.
Newstadt's parting thoughts:
Protect credentials everywhere. Think about how they can be attacked.Securing Keystone is an ongoing process.Share findings and ideas. This is how we'll improve Keystone and security in OpenStack.
No comments:
Post a Comment