[Freeipa-devel] Multitenancy in FreeIPA
Adam Young
ayoung at redhat.com
Thu Dec 15 17:24:36 UTC 2011
This is a first attempt to write up an approach for multitenancy in
IPA. Please provide feedback. I've attached the document as well, as
that should be easier to read.
Description
Multi-tenancy is an aspect of Identity Management (IdM) where multiple
parties use the same resource without learn any information about each
other. The example is two rival companies who both operate servers
hosted in a public cloud. Neither company should be aware of the
existance of the other users presence in the web using, and they
definitely should not be able to enumerate either the users or the hosts
of the other company due to information leaks inside the cloud services.
The entities stored under each tenant have a relatively high likelihood
of reusing the same names. User names and group names are often have a
high number of names that are commonly used. For example, both
companies might have someone with the user name of asmith and a group
named developers. However, in the first company, asmith has a UID of
512 and developers has a GID of 2100, but in the other company
asmith has a UID of 87687 and developers has a GID of 6332. Both need
to exist in the IdM server and be distinguishable from the other.
IPA Status
IPA currently has a completely flat data model. All data is store in
two subtrees: one for the IPA user and host database, and one for the
PKI CA. The kerberos server would only server out tickets for a single
domain. The Directory server has the vast majority of its data open
read only available to anonymous binds. The user Admin has full control
over the entire set of entites in the system.
IPA stores the data it manages inside a Directory Server (389) instance
in a subtree that, by default, mirrors the hostname of the server. Thus
the server ipa.example.com would store in the subtree
cn=ipa,cn=example,cn=com. The layout of this subtree will be referred
to as the current schema. The instance of the subtree itself will be
referred to as the current baseDN.
In addition, each IPA server manages a Kerberos Realm. By default
the name of the realm matches the domain name, but in all capitals.
The zone example.com would have a corresponding realm EXAMPLE.COM.
Required Changes
These are the changes necessary to the FreeIPA server to support a
cloud deployment and multi-tenancy.
Directory Server
Each tenant in the cloud would get their own subtree. It would get a
BaseDN of the form:cn={TENANT},cn=tenants,$suffix. This subtree would
have a copy of the current schema. The initial (undeletable) suffix is
used for the cloud provider. These subtrees will be referred to as
tenant trees.
When performing an action in the IPA server, the user is identified by
their principal, which contains the Kerberos Realm name. This can be
used to distinguish which domain, and by extension, which subtree,
the action should use for data. Operations are limited to the current
zone. Cloud administrators will need the ability to override this in
order to perform maintenance operations on the tenants.
The directory will no longer be world readable. Instead, ACIs will
limit the users ability to read only the subtree in which they are
enrolled. LDAP operations will require an authenticated bind.
When updating IPA, schema changes need to be applied to each of the the
tenant trees.
API
Each of the RPCs need to allow an optional parameter tenant. Members
of the original domain with an approapriate Permission will be able to
perform operations inside the tenant specified.
BaseLDAP plugin
Instead of just reading the BaseDN out of the configuration file, the
base DN needs to be calculated based on the Kerberos principal of the
calling user. This value should be cached in the WSGI application so
that it does not always require multiple round trips to the LDAP server.
Kerberos
Each tenant would get its own Kerberos Realm, but each would trust the
Cloud Provider's realm. The httpd/mod_auth_kerberos needs to be capable
of accepting new realms. When adding a new tenant, we might need to
update krb5.conf on the IPA server to know about the new realm.
DNS
The BIND DynDB back end code would need to be extended to read zone
information from multiple subtrees in order to read the DNS entires in
the tenant trees.
It is also possible to keep the current approach, and then add the
ability to identify which users and tenants can manage and control DNS
entries. The simpler solution is to modify BIND Dyn DB.
CA
We would continue to have only one CA, and have IPA submit all
Certificate requests as a single Agent. The IPA server will ensure that
a user can only request certificates for entities within their own subtree.
IPA-CLIENT
When enrolling a host, the principal used to authenticate with the IPA
server will determine which subtree will hold host. This involves
changing the LDAP configuration information in the following client
components: SSSD, nss_ldap, and Kerberos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111215/42bda022/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: multitenancy-0.0.0.odt
Type: application/vnd.oasis.opendocument.text
Size: 16213 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111215/42bda022/attachment.odt>
More information about the Freeipa-devel
mailing list