enabling cloud native applications with application
play

Enabling Cloud-Native Applications with Application Credentials in - PowerPoint PPT Presentation

Mar 26, 2024 •370 likes •637 views

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud Developer at SUSE cmurphy @_colleenm Overview Why we needed application credentials What are application credentials? (with demo!)

  1. Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud Developer at SUSE cmurphy @_colleenm

  2. Overview ● Why we needed application credentials ● What are application credentials? (with demo!) ● The future of application credentials 2

  3. Before... 3

  4. Cloud applications from cinderclient import client from keystoneauth1 import session from keystoneauth1.identity.generic import password auth = password.Password(username='cmurphy', password='secrets', project_name='production', user_domain_name='LDAP_EMEA', project_domain_name='Default', auth_url='https://cloud.example.com/identity') s = session.Session(auth=auth) cinder = client.Client('3', session=s) cinder.volume_backups.create('5ee22c66-4ce7-4136-bffa-371a4cf40d43') 4

  5. Principle of Least Privilege ● Applications have access to everything the user has access to 5

  6. Passwords in config files ● openrc files ● clouds.yaml ● {nova,cinder,neutron,...}.conf ● yourapplication.ini Protecting plaintext secrets: https://review.openstack.org/474304 6

  7. LDAP passwords in config files admin role on cmurphy user app user creates Bug 968696 application LDAP domain domain 7

  8. Password rotation == downtime Steps to change a keystone user's compromised password: 1. openstack user set --password moresecurepassword appuser 2. [applications are suddenly down, being unable to authenticate] 3. Update config files on all worker nodes 4. Restart services on all worker nodes 5. [applications can auth again] 8

  9. Introducing Application Credentials 9

  10. Application Credentials An application credential is a scoped auth method that a user creates to delegate a subset of their role assignments on a single project to something else - whoever or whatever possesses knowledge of the identifier and the secret belonging to the application credential. ● Has its own secret ● Can only access one project, no matter how many projects the user is in ● Can have all or a subset of the roles the user has on that project ● Is user-lived - when the user is deleted, the app credential dies ● User can have many 10

  11. What's in a name? Why are they called application credentials? What's wrong with API keys? ● "Application credentials" is a name we invented without any industry-known connotations 11

  12. Why not trusts? ● Not fully self-service ● Still requires your keystone user's password to auth 12

  13. Live demo 13

  14. Authenticating clouds: openstack: auth: auth_url: https://cloud.example.com/identity/v3 application_credential_id: "a2911c0aadea457e8d713955ab3675d0" application_credential_secret: "BB6L1wghFcr5AlZ3JK6vEl-B936vACEJJoof" region_name: "RegionOne" interface: "public" identity_api_version: 3 auth_type: "v3applicationcredential" 14

  15. Authenticating clouds: openstack: auth: auth_url: https://cloud.example.com/identity/v3 username: "cmurphy" user_domain_name: "suse.de" application_credential_name: "volume_backups_001" application_credential_secret: "BB6L1wghFcr5AlZ3JK6vEl-B936vACEJJoof" region_name: "RegionOne" interface: "public" identity_api_version: 3 auth_type: "v3applicationcredential" 15

  16. Rotation 1. openstack application credential create volume_backups_cred_002 2. [applications are still using old app cred] 3. Update config files on all worker nodes 4. Restart services on all worker nodes [applications start using the new app cred] 5. openstack application credential delete volume_backups_cred_001 16

  17. What about project-lived credentials? The need: ● Team member writes an application for a keystone project ● Creates application credential for the project, shared with the team ● Team member is reassigned ● Application keeps working 17

  18. What about project-lived credentials? The problem: ● Employee privately creates application credential for a keystone project, records secret ● Employee's keystone user is deleted ● Employee can still access that project using the application credential identifier and secret 18

  19. Handling team attrition If the team member that created the application credential is leaving: Plan ahead. Rotate the application credential before their user is decommissioned in order to avoid downtime. If someone else on the team is leaving: Plan ahead! For security, the application credential should still be rotated, even though the user leaving won't cause downtime. Keystone can't solve people problems. 19

  20. The Future 20 20

  21. Fine-grained access control Currently: openstack application credential create myappcred \ --role member Soon: openstack application credential create myappcred \ --capabilities \ '[{"service": "volume", "path": "/v3/{project_id}/backups", "type": "POST"}]' 21

  22. Rotation automation Automating around user-lived application credentials 22

  23. System scope Allow cloud administrators to automate system-level tasks 23

  24. Thanks! Questions? #openstack-keystone openstack-dev mailing list cmurphy @_colleenm 24

Recommend

Microservices and Cloud-native Applications Containerizing Traditional Applications Managing

Microservices and Cloud-native Applications Containerizing Traditional Applications Managing

Microservices and Cloud-native Applications Containerizing Traditional Applications Managing Security What we covered last time Steps to Containerize any Application Identify and handle application state Decide on how many containers q

652 views • 14 slides
Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2

Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2

1 Cloud Native Data Pipelines with Apache Kafka Gwen Shapira, Software Engineer @gwenshap 2 What is a Cloud Native Application? 3 Resilience Elasticity Common ideas Agility DevOps 4 You will build Cloud Native Applications

716 views • 47 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker

What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker

Cloud Native Applications Workshop Cloud Native Applications Workshop What is Cloud Native? WW Developer Advocacy Contents App Modernization Docker Overview Kubernetes Overview OpenShift Overview 12 Factor Apps IBM

281 views • 27 slides
Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer: Blah blah blah Kubernetes! Kubernetes is the Greek god of spending money on cloud services - @QuinniPig About me: Java/Cloud

1.03k views • 67 slides
Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29

Cloud Native Go 6/28/17, 11)02 AM Cloud Native Go Building Scalable, Resilient Microservices for the Cloud in Go 1 / 29 file:///Users/kimberlyamaral/Desktop/cng-presentation/pres.html#1 Page 1 of 38 Cloud Native Go 6/28/17, 11)02 AM Agenda

566 views • 38 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry

Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry

Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry Foundation Why does Cloud Native matter? Since 2000, 52% of the Fortune 500 are no longer on the list Continuous Innovation There is a rough

794 views • 50 slides
My Kind of Future 1 Prepare for the Future Now Transform your IT infrastructure and application

My Kind of Future 1 Prepare for the Future Now Transform your IT infrastructure and application

My Kind of Future 1 Prepare for the Future Now Transform your IT infrastructure and application delivery approach to support cloud-native applications, DevOps and CI/CD from the edge to the core to the cloud 2 Re-define Service Delivery

649 views • 43 slides
WebPerf: Ramesh Govindan Evaluating What- If Scenarios for Cloud-hosted Web Applications

WebPerf: Ramesh Govindan Evaluating What- If Scenarios for Cloud-hosted Web Applications

Yurong Jiang Lenin Ravindranath Suman Nath WebPerf: Ramesh Govindan Evaluating What- If Scenarios for Cloud-hosted Web Applications 1 A Cloud-Hosted Web Application 2 Modern Cloud Applications are Complex Cloud Notification

1.33k views • 101 slides
Experimental Evaluation of the Cloud- Native Application Design Sandro Brunner, Martin

Experimental Evaluation of the Cloud- Native Application Design Sandro Brunner, Martin

Experimental Evaluation of the Cloud- Native Application Design Sandro Brunner, Martin Blchlinger, Giovanni Toffetti, Josef Spillner, Thomas Michael Bohnert <josef.spillner@zhaw.ch> Service Prototyping Lab ( blog.zhaw.ch/icclab ) Zurich

333 views • 15 slides
eHealth .. How to trust a cloud? Enabling trust in distributed eHealth applications Dr. Mario

eHealth .. How to trust a cloud? Enabling trust in distributed eHealth applications Dr. Mario

eHealth .. How to trust a cloud? Enabling trust in distributed eHealth applications Dr. Mario Drobics Thematic Coordinator Safety & Security Department AIT Austrian Institute of Technology GmbH mario.drobics@ait.ac.at +43 50 550 4810

567 views • 17 slides
Calling the cloud: Enabling mobile phones as interfaces to cloud applications

Calling the cloud: Enabling mobile phones as interfaces to cloud applications

Calling the cloud: Enabling mobile phones as interfaces to cloud applications r r r r st

598 views • 35 slides
Developing cloud-native applications with Eclipse and the Spring Tool Suite Martin Lippert -

Developing cloud-native applications with Eclipse and the Spring Tool Suite Martin Lippert -

Developing cloud-native applications with Eclipse and the Spring Tool Suite Martin Lippert - Pivotal mlippert@pivotal.io @martinlippert back in time Applications of that time

352 views • 24 slides
Monitoring Cloud Native applications with Prometheus Aaron Kirkbride @ Weaveworks Time Series

Monitoring Cloud Native applications with Prometheus Aaron Kirkbride @ Weaveworks Time Series

Monitoring Cloud Native applications with Prometheus Aaron Kirkbride @ Weaveworks Time Series Database time_series_1 => [( t0 , 0), ( t1 , 100), ( t2 , 150), ( t3 , 170), ( t4 , 300), ...] time_series_2 => [( t0 , 0), ( t1 , 0), ( t2 , 0),

1.1k views • 51 slides
PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra

PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra

PATH TO CLOUD-NATIVE APP DEV 8 steps to cloud-native app dev Thomas Qvarnstrom Cesar Saavedra Technical Marketing Manager Product Marketing Manager tqvarnst@redhat.com csaavedr@redhat.com @ tqvarnst @cesar_saavedr June 2018 EVOLUTION OF

657 views • 28 slides
The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP Developer Relations Oracle Cloud Bob Quillin, VP Developer Relations Oracle Cloud @bobquillin @bobquillin Cloud Native: New Rules, New Game How we

351 views • 17 slides
Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder,

Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder,

Lessons Learnt from Running a Container Native Cloud Xu Wang (@gnawux) CTO & Cofounder, Hyper.sh Reinvent IaaS with Container! Agenda Hyper.sh: a Container Native Cloud Under the Hood: How We Build a Container Native Cloud

442 views • 23 slides
MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics:

MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics:

MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics: Mobile application programming (Android) Cloud computing To pass the exam: Individual working and documented application Answer to

569 views • 38 slides
PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda

PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda

PolarDB Cloud Native DB @ Alibaba Lixun Peng Inaam Rana Alibaba Cloud Team Agenda Context Architecture Internals HA Context PolarDB is a cloud native DB offering Based on MySQL-5.6 Uses shared storage

1.27k views • 25 slides
Tekton Overview WW Developer Advocacy Contents History of Tekton What is Tekton? Tekton

Tekton Overview WW Developer Advocacy Contents History of Tekton What is Tekton? Tekton

Cloud Native Applications Workshop Cloud Native Applications Workshop Tekton Overview WW Developer Advocacy Contents History of Tekton What is Tekton? Tekton Concepts and Examples Tekton Features Tekton and Kabanero Tekton provides

630 views • 19 slides
5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna Edupuganti, Intel Muhammad (Asim) Jamshed, Intel 2020 Agenda Cloud Native Disaggregated Network Infrastructure Transition to 5G Near

639 views • 38 slides
MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics:

MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics:

MOBILE APPLICATIONS AND CLOUD COMPUTING Roberto Beraldi Course Outline 6 CFUs Topics: Mobile application programming (Android) Cloud computing To pass the exam: Individual working and documented application in android

768 views • 42 slides
Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY

Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY

Honey, I shrunk the database! Resilience and recoverability in Cloud Native services JEFFREY FARBER SIDNEY SHEK Cloud infrastructure = reliable services right? SUPER RESILIENT CLOUD-BASED ARCHITECTURE Canary Progressive Rollouts

1.11k views • 93 slides

More recommend