SlideShare a Scribd company logo

CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue

ShapeBlue
ShapeBlue

CloudStack provides versatile authentication methods to ensure secure access and identity management. This talk explores key authentication mechanisms within CloudStack, including LDAP, SAML, OAuth2, API keys, etc. LDAP integration enables centralized user authentication, while SAML facilitates single sign-on (SSO) across various services. OAuth2 ensures secure authorization for third-party applications, and API keys offer programmatic access to resources. Additionally, CloudStack supports Two-Factor Authentication for an extra layer of security, enhancing user verification through multiple verification steps. ----------------------------------------- The CloudStack India User Group 2024 took place in Hyderabad on 23rd February. The conference, arranged by a group of volunteers from the Apache CloudStack Community, saw multiple sessions held about the cloud orchestration platform and its latest advancements.

Related slideshows

CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential Management
 
Raspberry pi and Google Cloud
Raspberry pi and Google CloudRaspberry pi and Google Cloud
Raspberry pi and Google Cloud
 
1 of 18
Download to read offline
CloudStack Authentication Methods - Harikrishna #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
About me – Harikrishna Patnala from Hyderabad, India – Software Development Engineer at ShapeBlue – Apache CloudStack committer and PMC member – Born and brought up in CloudStack – Previously worked at Accelerite and Citrix #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Existing Authentication Methods Ø Local passwords Ø LDAP Ø SSO / SAML2 Ø OAUTH2 #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Existing Authentication Methods Ø Local passwords (+ 2FA) Ø LDAP (+ 2FA) Ø SSO / SAML2 (+ 2FA) Ø OAUTH2 (+ 2FA) #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
LocalAuthentication – User’s password stored in DB – Encrypted – Can be hack-replaced with another user’s password (reset to a known value) – Comes as default #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
LocalAuthentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
LDAPAuthentication – Global LDAP config – Per-domain LDAP config – 3 different ways of configuration – Manual import – Auto import – Auto sync #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
SAML/SSOAuthentication – Requires enabling of the SAML 2.0 service provider plugin in CloudStack – Requires that admin enables each user for the SAML SSO login – SAML authentication plugin finds user accounts whose username match the username attribute value returned by the SAML authentication response – Tested with Shibboleth 2.4, SSOCircle, Microsoft ADFS, OneLogin, Feide OpenIDP, PingIdentity – Takes some effort to configure #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
SAML/SSOAuthentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
OAuth2Authentication – Require enabling the OAuth2 plugin in CloudStack – Currently supports Google and GitHub – OAuth2 plugin finds user accounts whose email match the email attribute value returned by the OAuth2 service provider – Available from CloudStack 4.19.0.0 – Pretty easy to configure #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
OAuth2Authentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
OAuth2 configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – Disabled by default – Once enabled, new "OAuth configuration" available under the "Configuration" menu – Needs configuration on the provider's side (Google or GitHub) – Provider generates ID, secret – and this is added to CloudStack, under “Oauth configuration” menu
OAuth2 configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – Needs a user with matching email created previously inside ACS – User can still use local authentication (with password) – Redirect URL in the form of “http://mycloud.com:8080/?verifyOauth”
2FA #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Why 2FA ? #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad Ø Additional layer of security Ø Prevents man-in-the-middle attack Ø Ø Prevents attacker access if they have your password Ø Prevents hijacking an account
2FA configuration – Introduced in ACS 4.18.0.0 – Disabled by default, needs to be enabled – Optional (i.e. not mandatory), by default – Can be set to mandatory, optionally #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
2FA configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – TOTP or static pin – TOTP: Google/other Authenticator – Static PIN – not a real 2FA ! – (stored in ACS database) – Can be disabled/enabled per domain – “Issuer” (visible inside theTOTP app) can be configured per domain
Q &A #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

More Related Content

CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue

  • 1. CloudStack Authentication Methods - Harikrishna #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 2. About me – Harikrishna Patnala from Hyderabad, India – Software Development Engineer at ShapeBlue – Apache CloudStack committer and PMC member – Born and brought up in CloudStack – Previously worked at Accelerite and Citrix #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 3. Existing Authentication Methods Ø Local passwords Ø LDAP Ø SSO / SAML2 Ø OAUTH2 #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 4. Existing Authentication Methods Ø Local passwords (+ 2FA) Ø LDAP (+ 2FA) Ø SSO / SAML2 (+ 2FA) Ø OAUTH2 (+ 2FA) #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 5. LocalAuthentication – User’s password stored in DB – Encrypted – Can be hack-replaced with another user’s password (reset to a known value) – Comes as default #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 6. LocalAuthentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 7. LDAPAuthentication – Global LDAP config – Per-domain LDAP config – 3 different ways of configuration – Manual import – Auto import – Auto sync #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 8. SAML/SSOAuthentication – Requires enabling of the SAML 2.0 service provider plugin in CloudStack – Requires that admin enables each user for the SAML SSO login – SAML authentication plugin finds user accounts whose username match the username attribute value returned by the SAML authentication response – Tested with Shibboleth 2.4, SSOCircle, Microsoft ADFS, OneLogin, Feide OpenIDP, PingIdentity – Takes some effort to configure #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 9. SAML/SSOAuthentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 10. OAuth2Authentication – Require enabling the OAuth2 plugin in CloudStack – Currently supports Google and GitHub – OAuth2 plugin finds user accounts whose email match the email attribute value returned by the OAuth2 service provider – Available from CloudStack 4.19.0.0 – Pretty easy to configure #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 11. OAuth2Authentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 12. OAuth2 configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – Disabled by default – Once enabled, new "OAuth configuration" available under the "Configuration" menu – Needs configuration on the provider's side (Google or GitHub) – Provider generates ID, secret – and this is added to CloudStack, under “Oauth configuration” menu
  • 13. OAuth2 configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – Needs a user with matching email created previously inside ACS – User can still use local authentication (with password) – Redirect URL in the form of “http://mycloud.com:8080/?verifyOauth”
  • 14. 2FA #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 15. Why 2FA ? #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad Ø Additional layer of security Ø Prevents man-in-the-middle attack Ø Ø Prevents attacker access if they have your password Ø Prevents hijacking an account
  • 16. 2FA configuration – Introduced in ACS 4.18.0.0 – Disabled by default, needs to be enabled – Optional (i.e. not mandatory), by default – Can be set to mandatory, optionally #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 17. 2FA configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – TOTP or static pin – TOTP: Google/other Authenticator – Static PIN – not a real 2FA ! – (stored in ACS database) – Can be disabled/enabled per domain – “Issuer” (visible inside theTOTP app) can be configured per domain
  • 18. Q &A #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad