Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tim Bell 24/09/2015 2Tim Bell - RDA.

Published byLenard Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "Tim Bell 24/09/2015 2Tim Bell - RDA."— Presentation transcript:

1

2 Tim Bell tim.bell@cern.ch 24/09/2015 2Tim Bell - RDA

3 CERN Tool Chain 24/09/2015 Tim Bell - RDA 3

4 24/09/2015 4 Microsoft Active Directory Database Services CERN Network Database Account mgmt system Horizon Keystone Glance Network Compute Scheduler Cinder Nova Block Storage Ceph & NetApp CERN Accounting Ceilometer Tim Bell - RDA

5 IN2P3 INFN … Onwards the Federated Clouds Public Cloud such as Rackspace CERN Private Cloud 120K cores ATLAS Trigger 28K cores CMS Trigger 12K cores Brookhaven National Labs NecTAR Australia Many Others on Their Way 24/09/2015 Tim Bell - RDA5 ALICE Trigger 12K cores

6 Open Design Process 24/09/2015 Tim Bell - RDA6 Started at OpenStack Hong Kong design summit Iterative design using open blueprints Source code under Apache 2 license Continuous integration to ensure maintainability Diverse team

7 Implementation 24/09/2015 Tim Bell - RDA7

8 Keystone authentication options Password Active Directory OpenID Connect X.509 Kerberos Tivoli Federated Identity Manager … plug in architecture for extensions 24/09/2015 Tim Bell - RDA8

9 Policy 24/09/2015 Tim Bell - RDA9 LOGIN: madenis LANGUAGE: EN DEPARTMENT: IT/OIS FULLNAME: Marek Denis Assertion Keystone credentials { name: madenis groups: [ “devs”, “openlab” ] } [ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "ADFS_LOGIN" } ] }, { "local": [ { "group": { "id": “devs" } }, {“group”: {ïd”:”openlab”} } ], "remote": [ { "type":"DEPARTMENT", "any_one_of": ["IT/OIS"] } ] } ]

10 OpenStack Identity Federation in 2015 24/09/2015 Tim Bell - RDA10

11 Examples of potential use #1 Federation with a cloud provider such as Rackspace Scenario Project with quota on an external cloud Define role mapping in external cloud using attributes User authenticates against private cloud IdP Accesses public cloud project Demo’d at the OpenStack summit in Paris in Autumn 2014 http://cern.ch/go/h98B 24/09/2015 Tim Bell - RDA11

12 Examples of potential use #2 Indigo dataclouds project H2020 funded Needs build and test resources CERN defines an OpenStack project Maps INFN role to project members Web SSO Federates with EduGain API/CLI Federates with INFN Keystone using Keystone-to-Keystone 24/09/2015 Tim Bell - RDA12

13 Experiences Watch out for non-federated services Who owns the resources at the site ? How to ssh into a VM behind a firewall when no account on the central login services ? Traceability for ephemeral accounts CADF logs need to be kept to map user UUID to originator 24/09/2015 Tim Bell - RDA13

14 Summary OpenStack now includes Federated Identity as standard Web SSO CLI Pluggable for authentication methods SAML and OpenID connect most popular Significant commercial interest and investment Partner networks such as Cisco and HP Easy to miss non-federated services when deploying production uses 24/09/2015 14Tim Bell - RDA

15 Questions ? 24/09/2015 15 OpenStack FIM links at http://clouddocs.web.cern.ch/c louddocs/additional/README. html http://clouddocs.web.cern.ch/c louddocs/additional/README. html CERN OpenStack technical details at http://openstack-in- production.blogspot.fr http://openstack-in- production.blogspot.fr Tim Bell - RDA

16 Usage Modes OpenStack with Web GUI handled by Federated Single Sign On OpenStack with Keystone authentication service validating against a SAML IdP OpenStack with Keystone authentication service validating against another Keystone 24/09/2015 Tim Bell - RDA16

17 24/09/2015 17Tim Bell - RDA

18 OpenStack Status 4 OpenStack clouds at CERN Largest is ~120,000 cores in ~4,000 servers in two data centres 3 other instances with 45,000 cores total Currently running Juno release of OpenStack Migrating to Kilo in next two months 24/09/2015 18Tim Bell - RDA

19 The Worldwide LHC Computing Grid Tier-1: permanent storage, re- processing, analysis Tier-0 (CERN): data recording, reconstruction and distribution Tier-2: Simulation, end-user analysis > 2 million jobs/day ~350’000 cores 500 PB of storage nearly 170 sites, 40 countries 10-100 Gb links 19 24/09/2015 Tim Bell - RDA

20 24/09/2015 20Tim Bell - RDA

Download ppt "Tim Bell 24/09/2015 2Tim Bell - RDA."

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
STUDY ON OPENSTACK BY JAI KRISHNA. LIST OF COMPONENTS Introduction Components Architecture Where it is used.

STUDY ON OPENSTACK BY JAI KRISHNA. LIST OF COMPONENTS Introduction Components Architecture Where it is used.
© 2012 IBM Corporation Architecture of Quantum Folsom Release Yong Sheng Gong ( 龚永生 ) gongysh #openstack-dev Quantum Core developer.

© 2012 IBM Corporation Architecture of Quantum Folsom Release Yong Sheng Gong ( 龚永生 ) gongysh #openstack-dev Quantum Core developer.
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
Ben Jones 12/9/2013 NEC'20132.

Ben Jones 12/9/2013 NEC'20132.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
CLOUD FEDERATION Are We There Yet?. Tim Bell - CERN Why Do We Federate?

CLOUD FEDERATION Are We There Yet?. Tim Bell - CERN Why Do We Federate?
Tim 23/07/2014 2OSCON - CERN Mass and Agility.

Tim 23/07/2014 2OSCON - CERN Mass and Agility.
CERN Cloud Infrastructure Report 2 Bruno Bompastor for the CERN Cloud Team HEPiX Spring 2015 Oxford University, UK Bruno Bompastor: CERN Cloud Report.

CERN Cloud Infrastructure Report 2 Bruno Bompastor for the CERN Cloud Team HEPiX Spring 2015 Oxford University, UK Bruno Bompastor: CERN Cloud Report.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
GridPP Steve Lloyd, Chair of the GridPP Collaboration Board.

GridPP Steve Lloyd, Chair of the GridPP Collaboration Board.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.

U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
Rackspace Analyst Event Tim Bell

Rackspace Analyst Event Tim Bell
Cloud Computing Infrastructure at CERN

Cloud Computing Infrastructure at CERN

Similar presentations

Ads by Google