~cbehrens/nova/lp844160-build-works-with-zones

We will investigate one method for integrating an AWS-style API with US eAuthentication-compatible federated authentication systems, to achieve access controls and limits based on traditional operational roles.

Additionally, we will look at how combining this approach, with an implementation of the CloudAudit APIs, will allow us to achieve a certification under FIPS 199 Moderate classification for a hybrid cloud environment.

Relationship of US eAuth to RBAC

--------------------------------

Typical implementations of US eAuth authentication systems are structured as follows::

[ MS Active Directory or other federated LDAP user store ]

--> backends to…

[ SUN Identity Manager or other SAML Policy Controller ]

--> maps URLs to groups…

[ Apache Policy Agent in front of eAuth-secured Web Application ]

In more ideal implementations, the remainder of the application-specific account information is stored either in extended schema on the LDAP server itself, via the use of a translucent LDAP proxy, or in an independent datastore keyed off of the UID provided via SAML assertion.

Basic AWS API call structure

----------------------------

AWS API calls are traditionally secured via Access and Secret Keys, which are used to sign API calls, along with traditional timestamps to prevent replay attacks. The APIs can be logically grouped into sets that align with five typical roles:

* System User

* System Administrator

* Network Administrator

* Project Manager

* Cloud Administrator

* (IT-Sec?)

There is an additional, conceptual end-user that may or may not have API access:

* (EXTERNAL) End-user / Third-party User

Basic operations are available to any System User:

* Launch Instance

* Terminate Instance (their own)

* Create keypair

* Delete keypair

* Create, Upload, Delete: Buckets and Keys (Object Store) – their own

* Create, Attach, Delete Volume (Block Store) – their own

System Administrators:

* Register/Unregister Machine Image (project-wide)

* Change Machine Image properties (public / private)

* Request / Review CloudAudit Scans

Network Administrator:

* Change Firewall Rules, define Security Groups

* Allocate, Associate, Deassociate Public IP addresses

Project Manager:

* Launch and Terminate Instances (project-wide)

* CRUD of Object and Block store (project-wide)

Cloud Administrator:

* Register / Unregister Kernel and Ramdisk Images

* Register / Unregister Machine Image (any)

Enhancements

------------

* SAML Token passing

* REST interfaces

* SOAP interfaces

Wrapping the SAML token into the API calls.

Then store the UID (fetched via backchannel) into the instance metadata, providing end-to-end auditability of ownership and responsibility, without PII.

CloudAudit APIs

100

---------------

101

102

* Request formats

103

* Response formats

104

* Stateless asynchronous queries

105

106

CloudAudit queries may spawn long-running processes (similar to launching instances, etc.) They need to return a ReservationId in the same fashion, which can be returned in further queries for updates.

107

RBAC of CloudAudit API calls is critical, since detailed system information is a system vulnerability.

108

109

Type declarations

110

---------------------

111

* Data declarations – Volumes and Objects

112

* System declarations – Instances

113

114

Existing API calls to launch instances specific a single, combined “type” flag. We propose to extend this with three additional type declarations, mapping to the “Confidentiality, Integrity, Availability” classifications of FIPS 199. An example API call would look like::

115

116

RunInstances type=m1.large number=1 secgroup=default key=mykey confidentiality=low integrity=low availability=low

117

118

These additional parameters would also apply to creation of block storage volumes (along with the existing parameter of ‘size’), and creation of object storage ‘buckets’. (C.I.A. classifications on a bucket would be inherited by the keys within this bucket.)

119

120

Request Brokering

121

-----------------

122

123

* Cloud Interop

124

* IMF Registration / PubSub

125

* Digital C&A

126

127

Establishing declarative semantics for individual API calls will allow the cloud environment to seamlessly proxy these API calls to external, third-party vendors – when the requested CIA levels match.

128

129

See related work within the Infrastructure 2.0 working group for more information on how the IMF Metadata specification could be utilized to manage registration of these vendors and their C&A credentials.

130

131

Dirty Cloud – Hybrid Data Centers

132

---------------------------------

133

134

* CloudAudit bridge interfaces

135

* Anything in the ARP table

136

137

A hybrid cloud environment provides dedicated, potentially co-located physical hardware with a network interconnect to the project or users’ cloud virtual network.

138

139

This interconnect is typically a bridged VPN connection. Any machines that can be bridged into a hybrid environment in this fashion (at Layer 2) must implement a minimum version of the CloudAudit spec, such that they can be queried to provide a complete picture of the IT-sec runtime environment.

140

141

Network discovery protocols (ARP, CDP) can be applied in this case, and existing protocols (SNMP location data, DNS LOC records) overloaded to provide CloudAudit information.

142

143

The Details

144

-----------

145

146

* Preliminary Roles Definitions

147

* Categorization of available API calls

148

* SAML assertion vocabulary

149

150

System limits

151

-------------

152

153

The following limits need to be defined and enforced:

154

155

* Total number of instances allowed (user / project)

156

* Total number of instances, per instance type (user / project)

157

* Total number of volumes (user / project)

158

* Maximum size of volume

159

* Cumulative size of all volumes

160

* Total use of object storage (GB)

161

* Total number of Public IPs

162

163

164

Further Challenges

165

------------------

166

* Prioritization of users / jobs in shared computing environments

167

* Incident response planning

168

* Limit launch of instances to specific security groups based on AMI

169

* Store AMIs in LDAP for added property control

170

171

172

173

The :mod:`access` Module

174

--------------------------

175

176

.. automodule:: nova.auth.access

177

:members:

178

:undoc-members:

179

:show-inheritance:

180

181

The :mod:`signer` Module

182

------------------------

183

184

.. automodule:: nova.auth.signer

185

:members:

186

:undoc-members:

187

:show-inheritance:

188

189

The :mod:`users` Module

190

-----------------------

191

192

.. automodule:: nova.auth.users

193

:members:

194

:undoc-members:

195

:show-inheritance:

196

197

The :mod:`users_unittest` Module

198

--------------------------------

199

200

.. automodule:: nova.tests.users_unittest

201

:members:

202

:undoc-members:

203

:show-inheritance:

204

205

The :mod:`access_unittest` Module

206

---------------------------------

207

208

.. automodule:: nova.tests.access_unittest

209

:members:

210

:undoc-members:

211

:show-inheritance:

212

213

Older »