The Design And Implementation Of OpenID-based Identity Authentication Mechanism In OpenStack Cloud Platform

Besides the privated cloud platform,there are many open source solutions on the Internet,OpenStack is one of the leaders.When the OpenStack users login the system,the users were authenticated by network GUI firstly.After the successful authentication,front-end GUI server retrieves the users' credentials through the administrator credentials.However,when the GUI server authenticates users at the initial stage,the back-end OpenStack server can not participate in the authentication process.The access mechanism lacks of centralized authentication which will lead to multiple policy decision points.It is not easy for system management and implementation.Therefore,this paper adopts OpenStack as an open source authentication platform,it also introduces a flexible and decentral ized authentication service at the front end.The system implements OpenID as authentication mechanism for OpenStack and provide multiple service points for individual users.Users will have a seamless single-sign-on experience.The main work of this paper is summarized as follows:(1)It analyzed the shortcomings of OpenStack's traditional authentication mechanism in practicality,extensibility and security,and then proposed the design strategy of applying OpenID authentication mechanism in OpenStack.According to the adaptability of OpenID in OpenStack,the design choosed the OpenID authentication as a service to be the solution.The message Sequence for OpenID authentication service is mainly analyzed.(2)The key problems that need to be solved in t he authentication prototype system are discussed.This paper focused on the process of integrating OpenID authentication in OpenStack.It included modifications for OpenStack framework,presetting for configuration,OpenID authentication message sequence,OpenID authentication APIs,and the Dashboard / Django-Nova with OpenID.(3)Finally,the security and system performance of the designed OpenID authentication mechanism are discussed.The authentication mechanism is applied to Google,Yahoo and other OpenID providers.The performance of The authentication mechanism is evaluated by observing the times for OpenID authentication requests and response,the internal timing between the Nova-OpenID controller and the cloud controller on these platforms.