OpenStack Summit November 2013

Many organizations across academia, industry and government need to securely share data and services with partners to accomplish common goals. “Big Science”, such as high-energy physics, requires access to unique scientific instruments by collaborative research teams across the globe. Digital film production can require the collaboration of many independent production houses for different special effects to produce a final feature. Many sovereign governments have issued mandates for their agencies to adopt cloud computing, which in turn must interact with citizens, industry and other governments. The requirement these use cases have in common is to selectively authorize particular individuals and roles from different organizations that collectively constitute what can be called a virtual organization.

In the NIST cloud definition, the concept of a community cloud was intended to capture this requirement. However, what a community cloud really represents, and requires, is secure cloud federation. Cloud federation begins with federated identity management -- enabling different cloud providers to authenticate users from different organizations that rely on different identity providers. An approach for federated identity management in OpenStack has already been implemented and proposed by the University of Kent. Once identity has been established, however, how can authorization to resources across multiple, federated cloud providers be managed in a secure way, given that only subsets of users from each identity provider need to be selectively authorized to use the protected resources?

In this talk, we present the Virtual Organization (VO) concept for managing federated authorization. We will begin by presenting the current status of the Kent work, and how it can directly support VO-based authorization. A VO is essentially a context for managing security and collaboration across multiple institutions. It is used to manage group membership that is not tied to any one institution. We will present the basic VO concepts and also discuss a number of design issues and implementation options: (a) the use of an external VO management server vs. a distributed database, (b) managing cloud federation at the infrastructure level (resources on-demand) vs. federation at the application level (access to cloud-hosted application data and services, (c) role-based vs. attribute-based authorization, and (d) semantic interoperabililty. We also present results from a prototype VO implementation in the OpenStack Keystone and Swift services for the NCOIC/NGA GEOINT Community Cloud prototype
for international disaster response. This prototype demonstrated how international stakeholders can securely share cloud-hosted data, on-demand, to respond to a natural disaster, such as a Haiti earthquake. (NOTE: This prototype is on-track for final demonstration in September 2013 in the Washington DC area.)

The goals of this presentation are to (a) present the design space and implementation options for VOs in cloud federation, (b) gauge marketplace requirements, and (c) galvanize further work in the OpenStack community towards practical solutions.