* Authorization in Distributed Systems **“Who are you and what are you doing in my Living Room” --Randall Munroe, Quoting Don Knuth * Delegation is getting someone else to do you work for you ** Yes, like Tom Sawyer ** If you don't you do all the work ** This does not scale * Party Pattern is a Model for authorization ** More resilient to assign responsibility to a group than and a single person ** REST means a resource is at the end of an URL ** Operations are (coarsely) REST verbs ** Patch/Put/Post might be more granular based on payload * OpenStack ** Manage Virtual Machines and required infrastructure at scale ** Compute, Storage (many forms), Network. ** Then build on top with *aaS * Keystone ** originally a way to stop copying the password ** Bearer token ** Global roles.../til someone scoped them *** User, Project, Roles, Service Catalog ** Basic workflow: *** source a .rc file with AUTH URL and Variables *** Get a token with Service catalog *** Make call to Nova passing akong the token * Working at Scale: ** Multiple Keystones ** Revocations ** Regions ** LDAP vs Galera ** TOken Formats: *** UUID *** PKI *** Fernet *** Tokenless * AuthZ vs AuthN ** AuthZ: Who you are ** AuthN what can you do. ** Attributes used to go from Z to N *** Group membership is the primary *** Others: time of day, location, Age * AuthZ ** Password ** Kerberos ** PKI ** OTP * Federation ** You don't own the User database ** SAML is King *** Assertion is a cryptographicall signed set of attributes ** OAUTH, OpenIDC *** Kerberos + SSSD **Still need another level of attributes beyond the Assertion * Secure Delegation: ** Trusts *** Restart My VM for me at 2 in the morning 5 months from now if needed ** Take the car key off the keyring ** Least priv ** Don't run as root on your own system ** The risk of Admin in OpenStack *** Bug 968696 ** Scope check versus role check *** Scope needs object out of the database *** Role can be more dynamic *** Implied Roles *** From that: If I have a role, what can I do? *** URL Based RBAC check in Middleware * OpenStack Code production proces ** Repos run by teams *** Multiple project per team: *** Keystone, Keystoneclient, middleware, Spec **** Specs before Features *** Sign CLA to play *** Submit a patch **** Gerrit vs Git *** Pass CI *** +1 =1 for community members *** 2 X +2 to approve a patch *** PTL breaks ties **** Unit tests **** Tempest **** Grenade **** Voting and non voting *** Infra is a team itself ** Foundation is its own thing *** Governanace *** No one company runs it *** Decides inter project issues *** How to add a new project *** Bi-Annual Summits ** Red Hat's roles *** Upstream contributor *** Packages for CentOS via RDO *** Fedora supported but less common in production *** Sells RH OSP for support *** Need to have a supported stack from bottom to top *** KVM Hypervisor *** Ceph *** RH IdM *** Package management is its own topic: **** Koji vs Brew **** pip vs RPM