| With the continuous development of cloud computing, more and more organizations began to enter this field. Because of its mature technology, OpenStack, one of the open source cloud computing platform, is the choice of most organizations and actually has become the deployment standards of the Iaa S's infrastructure. However, most of these deployments are deployed as an internal private cloud. These deployments can have better resource utilization and bring economic benefits through the way of sharing resources within the organizations, however, which is far from enough for the wider sharing of economic models in the future. In the future, it will become the mainstream to deploy hybrid cloud through the establishment of trust relationships between the organizations in a wide range.However, the security problem is the key obstacle for achieving a wider range of resource sharing and service joint through establishing a wide range of trust relationships among these organizations. In current, these urgent problems that must be solved at once: How can we build trust relationships safely? How can we ensure that the sharing resources is actually what the organization tries to share? How can we improve the user experience and reduce indirect security risks due to the user's habits? How can we judge the source and the responsibility of security incidents effectively?Based on the above security requirements, this paper proposes a safety way of sharing resources between Keystone domain based on identity federation, which is derived from the analysis of OpenStack internal authentication and authorization mechanisms and several identity federation solutions at present. This solution transform the Keystone using the SAML specification and Shibboleth architecture, which makes it possible to carry out identity federation like the Shibboleth IDP and SP. Meanwhile, in order to realize the finegrained control over the shared resources in cloud platform and the isolation of potential security risks through the identity federation, the concept of "domain" newly supported by Keystone v3.0, is used to isolation, making the trust relationship just build on the trusting domain, rather than resources from the entire OpenStack cloud computing platform.Once you established identity federation in this way, the cloud platform among the organizations can do resource sharing, load balancing and service joint in the controllable range. At the same time, cloud users can only register within one organization, but they can visit the authorized resources from all the organizations which have established trust relationships with the user's identity provider. Thus, the pairs of user name and password having to remember can be reduced effectively, the indirect security risks bringing from the password habits can be reduced effectively too. |
PDF Full Text Request