next generation directory based
play

Next Generation Directory-Based User Management for Cloud - PowerPoint PPT Presentation

Aug 17, 2023 •208 likes •928 views

Next Generation Directory-Based User Management for Cloud Infrastructure Nov 16, 2016 ApacheCon EU, Seville Introductions Katarina Valalikova Evolveum Shawn McKinney - Symas ApacheCon EU, Seville 2016 2 Security is Hard I had

  1. Next Generation Directory-Based User Management for Cloud Infrastructure Nov 16, 2016 ApacheCon EU, Seville

  2. Introductions • Katarina Valalikova – Evolveum • Shawn McKinney - Symas ApacheCon EU, Seville 2016 2

  3. Security is Hard “I had to keep guessing at the channel; I had to discern, mostly by inspiration, the signs of hidden banks; I watched for sunken stones; When you have to attend to things of that sort, to the mere incidents of the surface, the reality — the reality, I tell you — fades. The inner truth is hidden. ” Joseph Conrad, Heart of Darkness ApacheCon EU, Seville 2016 https://en.wikipedia.org/wiki/File:VingtAnnees_286.jpg

  4. Session Objective Uncover that hidden navigation channel for users and machines through ‘the cloud’. ApacheCon EU, Seville 2016 4

  5. Session Agenda • History • Building Blocks • Model • Solution • Use Case • Demo • Questions Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA

  6. History Knowing the path forward necessarily means we understand where we’ve been. ApacheCon EU, Seville 2016 6

  7. History 7 https://upload.wikimedia.org/wikipedia/commons/7/77/Unix_history-simple.svg

  8. History POSIX Soup of the day RFC2307 NSS dns sudo su users NSS PAM Security ApacheCon EU, Seville 2016 8

  9. Operating System AIX should work on most unix platforms ApacheCon EU, Seville 2016 9

  10. Cloud Infrastructure must work on all ApacheCon EU, Seville 2016 10

  11. The Wheel • Let’s not reinvent ApacheCon EU, Seville 2016 11

  12. Back in time circa 1995 • Internet went mainstream • Linux is viable • Sun released Java • Work on Apache HTTP server begun • The die was cast on LDAP ApacheCon EU, Seville 2016 12

  13. Building Blocks 1. POSIX security controls Best practic ices es 2. Directory services ApacheCon EU, Seville 2016 13

  14. Fast Forward New practic ice 3. Mediator ApacheCon EU, Seville 2016 14

  15. Building Blocks Conceptual ApacheCon EU, Seville 2016 15

  16. Building Blocks Actual ApacheCon EU, Seville 2016 16

  17. Building Blocks - AuthN ApacheCon EU, Seville 2016 17

  18. Pluggable Authentication Module • Authentication • Coarse-grained Authorization Jus ust an au authN N servic ice ApacheCon EU, Seville 2016 18

  19. Building Blocks - AuthZ ApacheCon EU, Seville 2016 19

  20. sudo Just an a authZ service ce 20

  21. Building Blocks – Reporting ApacheCon EU, Seville 2016 21

  22. Name Service Switch • Used by unix processes to lookup user and group info Jus ust a l lookup up servic ice ApacheCon EU, Seville 2016 22

  23. What is LDAP 23

  24. Building Blocks - LDAP Just a System of record • Users • Passwords • Groups ApacheCon EU, Seville 2016 24

  25. Building Blocks - Mediator • Keeps things in synch between the machines and LDAP as things change. ApacheCon EU, Seville 2016 25

  26. Mediator 1. Machine added to network, notifies mediator 2. Based on policies stored in DB 3. Updates ldap accordingly 1 3 2 ApacheCon EU, Seville 2016 26

  27. Model afnorth aspac --------- --------- m2010 m3100 ..... … amsouth --------- m1001 m1002 m1003 Requir iremen ements ts … ApacheCon EU, Seville 2016 27

  28. Three Kinds of Security Checks 1. Authentication with LDAP PAM 2. Coarse-grained authZ - memberOf target machine – (i.e. LDAP group name == hostname) sudo 3. Medium-grained authZ. memberOf at least one: – Admin - root access – User - typical user access – Auditor - read-only access to entire machine. ApacheCon EU, Seville 2016 28

  29. Three Types of Groups 1. Machine Sets mediator tor 2. Machines PAM 3. Security Roles sudo ApacheCon EU, Seville 2016 29

  30. 1. Machine Sets m3set --------- m3100 m3200 m3300 … m2set --------- m2010 m1set Used d by m2020 --------- m2030 m1001 mediator tor to … m1002 m1003 compute te polici cies es … ApacheCon EU, Seville 2016 30

  31. 2. Machines Used d by PAM ApacheCon EU, Seville 2016 31

  32. 3. Security Roles Used d by sudo ApacheCon EU, Seville 2016 32

  33. Policy Combiner m3set --------- User, r, role and machine e set m3100 m3200 m3300 … user m2set --------- m2010 m1set m2020 --------- m2030 m1001 … The mediato tor r auditor m1002 m1003 can do this … admin ApacheCon EU, Seville 2016 33

  34. Pick Two ApacheCon EU, Seville 2016 34

  35. Solution ApacheCon EU, Seville 2016 35

  36. Target System Architecture 36

  37. Client-side Solution Script during machine instantiation: 1. Configures pam, sudo & nss to LDAP 2. Call mediator to add LDAP machine group 3. Call mediator to recompute LDAP groups ApacheCon EU, Seville 2016

  38. Server-side Solution 1. MidPoint - mediator – delegated admin, approvals, audit – html & http admin services 2. PostGreSQL – master database – users, roles, orgs, svcs 3. OpenLDAP – security database – users, groups – posixAccount, posixGroup 38

  39. High-level Solution Design ApacheCon EU, Seville 2016 39

  40. Detail Design

  41. Data Models 1. LDAP Hierarchical Database – data used for the posix security access control 2. Midpoint Relational Database – stores master copy of all data used across all repositories ApacheCon EU, Seville 2016 41

  42. LDAP Data Model Standard object schemas: 1. RFC2307bis – posixAccount – posixGroup 2. SudoRole ApacheCon EU, Seville 2016 42

  43. LDAP Data Model Hierarchica archical ApacheCon EU, Seville 2016 43

  44. Use RFC2307bis LDAP Schema ApacheCon EU, Seville 2016 44

  45. Machine Set M1 dn: cn=m1set, ou=Groups, ... description: Machine Set 1 member: cn=m1001,... member: cn=m1002,... member: cn=m1003,... … ApacheCon EU, Seville 2016 45

  46. Machine M1001 dn: cn=m1001, ou=Groups,… objectClass: posixGroup description: Machine Group M1001 member: uid=curly,ou=People,… member: uid=frank,ou=People,… member: uid=marla,ou=People,… … ApacheCon EU, Seville 2016 46

  47. Security Role M1Admin dn: cn=m1admin, ou=Groups, ... objectClass: posixGroup description: Admin Machine Set 1 cn: m1admin member: uid=curly,ou=People,... member: uid=frank,ou=People,... member: uid=marla,ou=People,... … ApacheCon EU, Seville 2016 47

  48. sudo LDAP Schema objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ description ) ) ApacheCon EU, Seville 2016 48

  49. sudo M1Admin dn: cn=admin access to m1,ou=sudo,dc=example,dc=com objectClass: sudoRole cn: admin access to m1 sudoUser: %m1admin sudoHost: m1001 sudoHost: m1002 sudoHost: m1003 sudoHost: m1004 ApacheCon EU, Seville 2016 49

  50. MidPoint Data Model Rela lational tional 50

  51. Provisioning Overview 1. Adding a new User into LDAP triggers into midpoint DB and vice versa. 2. Adding a new machine group as a memberOf a particular machine set group it automatically adds eligible users as membersOf of the same machine group. 3. Assigning a Role with a parameterized Org to a User automatically adds to memberOf associated machine and security groups in LDAP. ApacheCon EU, Seville 2016 51

  52. Data Mapping Use midpoin int t paramete eterized rized roles 52

  53. Midpoint (mediator) 53

  54. Midpoint manages the LDAP groups 54

  56. Users ApacheCon EU, Seville 2016 56

  57. OpenLDAP Resource ApacheCon EU, Seville 2016 57

  58. Use Cases Manage a large cluster of machines for a technology company with 100 employees and 100,000 customers. ApacheCon EU, Seville 2016 58

  59. Overview • Many types of machines but here we’ll be using Debian and Redhat systems. • These deploy into the cloud of a well-known provider. • Must maintain strict control over who may access the machines to verify compliance. ApacheCon EU, Seville 2016 59

  60. Use Case 1 Create a New Machine • Assigns authorized Users as members of the Machine Group • New machine uses the Machine Group in PAM • Uses the security roles in SUDO ApacheCon EU, Seville 2016 60

  61. Use Case 2 Remove a Machine: • Deletes the Machine Group from LDAP ApacheCon EU, Seville 2016 61

  62. Use Case 3 Assigning a User to a Role: • Add to corresponding Security Role • Adds to corresponding Machine Groups ApacheCon EU, Seville 2016 62

  63. Use Case 4 Deassigning a User from a Role: • Removes User from corresponding Security Role • Removes User from corresponding Machine Groups ApacheCon EU, Seville 2016 63

  64. Machine Sets Each machine resides es in a si single le domain ApacheCon EU, Seville 2016 64

  65. Machines ApacheCon EU, Seville 2016 65

  66. Security Roles ApacheCon EU, Seville 2016 66

  67. 67

  68. Demo 1. Assign Users to Roles / Machine Sets 2. Deassign Users from Roles / Machine Sets 3. Add New Machines 4. Remove Machines ApacheCon EU, Seville 2016 68

Recommend

Registration Directory Service (RDS) 15 July 2013 Next Generation Registration Directory

Registration Directory Service (RDS) 15 July 2013 Next Generation Registration Directory

A Next Generation Registration Directory Service (RDS) 15 July 2013 Next Generation Registration Directory Service Session Agenda + Introduction + Discussion Questions and Community Input + Questions about Initial Report + Next Steps 2

460 views • 19 slides
Next Generation Next Generation gTLD Dir gTLD Directory Services ectory Services Pr

Next Generation Next Generation gTLD Dir gTLD Directory Services ectory Services Pr

Next Generation Next Generation gTLD Dir gTLD Directory Services ectory Services Pr Presentation by the esentation by the Expert W Expert Working Gr orking Group (EWG) oup (EWG) Next Generation gTLD Directory Services

569 views • 15 slides
EWG Final Report: Next Generation Registration Directory Service (RDS) Overview

EWG Final Report: Next Generation Registration Directory Service (RDS) Overview

EWG Final Report: Next Generation Registration Directory Service (RDS) Overview Expert Working Group on gTLD Directory Services (EWG) 23 June, 2014 Session Agenda About the EWG Overview of the EWGs Final

948 views • 36 slides
Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory Unlike the earlier Microsoft Windows NT 4.x Domain directory service which used proprietary DCE/RPC calls, Active Directory is based on standard

557 views • 27 slides
Directory-based Cache Coherency 1 To read more This days papers: Lenoski et al, The

Directory-based Cache Coherency 1 To read more This days papers: Lenoski et al, The

Directory-based Cache Coherency 1 To read more This days papers: Lenoski et al, The Directory-Based Cache Coherence Protocol for the DASH Multiprocessor Supplementary readings: Hennessy and Patterson, section 5.4 Molka et al,

792 views • 57 slides
Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory Collection of related objects Files, Printers, Fax servers etc. Directory Service Information needed to use and manage the objects. Source

438 views • 27 slides
Directory-based Coherence ( 5.4) Idea : Implement a directory that keeps track of where

Directory-based Coherence ( 5.4) Idea : Implement a directory that keeps track of where

Directory-based Coherence ( 5.4) Idea : Implement a directory that keeps track of where each copy of a block is cached and its state in each cache (note that with snooping, the state of a block was kept only in the cache).

515 views • 5 slides
Next-Generation gTLD Registration Directory Service (RDS) to replace WHOIS ICANN57 F2F Meeting

Next-Generation gTLD Registration Directory Service (RDS) to replace WHOIS ICANN57 F2F Meeting

Next-Generation gTLD Registration Directory Service (RDS) to replace WHOIS ICANN57 F2F Meeting Slides RDP PDP WG | ICANN58 | 11 March 2017 Agenda 2 3 1 Introductions PDP Work Plan, PDP Working & SOI Updates Progress, &

785 views • 37 slides
Stash Directory: A Scalable Directory for Many-Core

Stash Directory: A Scalable Directory for Many-Core

Stash Directory: A Scalable Directory for Many-Core Coherence Socrates Demetriades and Sangyeun Cho 20 th Interna+onal Symposium On High Performance

782 views • 31 slides
Decision Support Systems Directory an Envirolink T ools Project A web-based searchable

Decision Support Systems Directory an Envirolink T ools Project A web-based searchable

Decision Support Systems Directory an Envirolink T ools Project A web-based searchable directory of Decision Support Systems (models, tools, frameworks) that: provides key metadata for each DSS; provides relevant case studies of

311 views • 8 slides
Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of attributes Miroslav Milinovic, University Computing Centre, University of Zagreb Jasmina Hodzic, Center for Information Technology Services,

1.65k views • 20 slides
Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and looks up entries that match attribute-based specifications (e.g., Microsoft's Active Directory Service, X.500 and LDAP) Case Study - X.500

515 views • 12 slides
Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights Directory of accurate, trusted provider data available to vetted healthcare entities (Not consumer-facing) Authoritative data sources that feed the

529 views • 11 slides
WHAT IS THE SERVICE DIRECTORY? USING THE DIRECTORY Simple format- search by Service Name (if

WHAT IS THE SERVICE DIRECTORY? USING THE DIRECTORY Simple format- search by Service Name (if

A one-stop shop , district and borough-wide register of local services , events and other assets Professional directory- the information on it is not made available to the wider public. Users can see at a glance what the service can do

294 views • 11 slides
DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R.

DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R.

DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R. Bannister dbis.sf.net Background RFC 2307, late 1990s (experimental) RFC 2307bis, 2002-2009 (draft) RFC 4876, 2007 nss_ldap (PADL, Sun

283 views • 9 slides
Directory 11 Regional Reliability Reference Directory # 11 Disturbance Monitoring Equipment

Directory 11 Regional Reliability Reference Directory # 11 Disturbance Monitoring Equipment

Directory 11 Regional Reliability Reference Directory # 11 Disturbance Monitoring Equipment Criteria Presented to: Joint Meeting NPCC TFSP& WECC RWG September 2018 Tony Napikoski Principal Engineer United Illuminatiing/Avangrid

130 views • 9 slides
LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads Implements a distributed model for storing information

554 views • 39 slides
LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads. Implements a distributed model for storing

854 views • 39 slides
The Arvy Distributed Directory Protocol Pankaj Khanchandani, Roger Wattenhofer ETH Zurich -

The Arvy Distributed Directory Protocol Pankaj Khanchandani, Roger Wattenhofer ETH Zurich -

The Arvy Distributed Directory Protocol Pankaj Khanchandani, Roger Wattenhofer ETH Zurich - Distributed Computing Group (DISCO) Distributed Directory Distributed Directory Shared Token Distributed Directory Distributed Directory

1.51k views • 139 slides
CS654 Advanced Computer Architecture Lec 14 Directory Based Multiprocessors Peter Kemper

CS654 Advanced Computer Architecture Lec 14 Directory Based Multiprocessors Peter Kemper

CS654 Advanced Computer Architecture Lec 14 Directory Based Multiprocessors Peter Kemper Adapted from the slides of EECS 252 by Prof. David Patterson Electrical Engineering and Computer Sciences University of California, Berkeley Review

717 views • 50 slides
Modes in Directory-Based Many-Core CMPs Subodha Charles and Prabhat Mishra University of

Modes in Directory-Based Many-Core CMPs Subodha Charles and Prabhat Mishra University of

Exploration of Memory and Cluster Modes in Directory-Based Many-Core CMPs Subodha Charles and Prabhat Mishra University of Florida, USA Chetan Arvind Patil and Umit Y. Ogras Arizona State University, USA This work was partially supported by

1.03k views • 31 slides
Proximity-Aware Directory-based Coherence for Multi-core Processor Architectures Jeff Brown

Proximity-Aware Directory-based Coherence for Multi-core Processor Architectures Jeff Brown

Proximity-Aware Directory-based Coherence for Multi-core Processor Architectures Jeff Brown Rakesh Kumar Dean Tullsen UC San Diego University of Illinois at Urbana-Champaign SPAA19 June 9, 2007 Introduction The chip multiprocessor

948 views • 76 slides
EMC TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of

EMC TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of

EMC TEST REPORT DIRECTORY Pages A) Documentation Directory 2 Test Standards 3 Address of the test laboratory, Conditions/Power Utilized, 4 Description of the EUT & Symbol Definitions Equipment under Test 17 General Remarks &

987 views • 76 slides
Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory Implementation The starting (root) directory of each filesystem is created by formatting . A UNIX directory is a file : it has an owner, group

502 views • 12 slides

More recommend