Moonshotenabled Federated Access to Cloud Infrastructure Terena Networking
Moonshot-enabled Federated Access to Cloud Infrastructure Terena Networking Conference, Reykjavik. May 2012 David Orrell, Eduserv
Objectives Enable end-to-end federated access to cloud infrastructure. Ease the management of cloud infrastructure. Path to federated cloud platform services. o Federated access by default.
Eduserv Not for profit IT services company o Based in Bath, UK. o 115 staff. o New datacentre. Key business areas o IAM software and services. o Web hosting and development for government. Charitable mission to encourage the effective use of ICT in ‘public good’ organisations.
Eduserv cloud platform Infrastructure as a Service (Iaa. S) for UK Education community o Currently offered as a beta service Infrastructure to support existing products and services
Eduserv Education Cloud: Hardware Cisco UCS blade infrastructure o Dual 6 -core 3. 06 GHz processors with 64 GB RAM. o Initial deployment will scale to >1, 500 cores, 8 TB of RAM. Isilon storage o Clustered NAS solution with near-SAN performance. o Initial deployment will scale to 10 PB usable. Connectivity o 2 -tier Cisco switched network (core and distribution). o Fully resilient with no single point of failure (including dual path to JANET Po. P). o All ports running at 10 Gbit/s.
Eduserv Education Cloud: Software VMWare v. Cloud Compute o Good fit with v. Sphere provision. o Provides burst capacity at times of high demand. File/object storage v. Cloud Director o v. Cloud REST APIs. Eduserv Cloud Portal o Billing, usage etc.
v. Cloud Architecture Virtual Organisation Virtual Datacentre (v. DC) v. App Network Catalog Public Catalog v. App Template ISO media Users + groups
v. Apps Package of multiple VMs (as an OVF). How VMs connect to the network(s). Boot sequence. v. App networks o NATed, firewalled. VM o May be fenced. VM VM Network VM
Federated SSO via UKAMF 3 rd party applications Eduserv Education Cloud Web Portal v. Cloud Director v. Cloud API Virtual Organisation …
Moonshot JANET-led project. Federated access to any application. Builds on eduroam technologies o RADIUS for federated authentication. o EAP for mutual authentication. Integrates with standard OS security APIs o GSS-API (RFC 2078 – Other OS). o SASL (RFC 4422 – Windows + Other OS). o SSPI (Windows).
SSH using Moonshot (1) Credentialing (3) Authentication (5) Attributes (6) SSH session (2) SSH negotiation SSH client (4) RADIUS SSH server RADIUS server Open. SSH used as example of application; many others also apply 11
Moonshot on Education Cloud Deploy Moonshot-ready appliances. Linux server as an example o Cent. OS 6. 2. o Moonshot-enabled SSHD.
Moonshot on Education Cloud Automatic allocation of ‘local’ Linux users. NSS module o Automatic user/group allocation. PAM module o Auditing. moonbind daemon.
Education Cloud Portal SAML v. App User/group allocation VM moonbind PAM module NSS module SSHD user + group(s) RADIUS server
v. App Instantiation Education Cloud Portal Catalog Network configuration Custom script(s) Configure moonbind v. App Template ISO media Guest customisation Virtual Organisation v. App VM VM
Future work Proper authorisation. Integration with v. App OVF descriptor. Integration with file/object storage o Via Web. DAV. Windows/Exchange Paa. S o Cloud Foundry.
Thanks to… Eduserv colleagues Andy Powell, Richard Annett, Charlie Llewellyn, Tim Lawrence JANET Education Cloud blog + further information http: //support. cloud. eduserv. or g. uk www. eduserv. org. uk @eduserv david. orrell@eduserv. org. uk
- Slides: 31