Moonshot-enabled Federated Access to Cloud Infrastructure Terena Networking Conference, Reykjavik.May 2012

David Orrell, Eduserv

Objectives

Enable end-to-end federated access to cloud infrastructure.Ease the management of cloud infrastructure.Path to federated cloud platform services.o Federated access by default.

Eduserv

Not for profit IT services companyo Based in Bath, UK.o 115 staff.o New datacentre.

Key business areaso IAM software and services.o Web hosting and development for government.

Charitable mission to encourage the effective use of ICT in ‘public good’ organisations.

Eduserv cloud platform

Infrastructure as a Service (IaaS) for UK Education community

o Currently offered as a beta service

Infrastructure to support existing products and services

Eduserv Education Cloud: HardwareCisco UCS blade infrastructure

o Dual 6-core 3.06GHz processors with 64GB RAM.o Initial deployment will scale to >1,500 cores, 8 TB of RAM.

Isilon storageo Clustered NAS solution with near-SAN performance.o Initial deployment will scale to 10 PB usable.

Connectivityo 2-tier Cisco switched network (core and distribution).o Fully resilient with no single point of failure

(including dual path to JANET PoP).o All ports running at 10 Gbit/s.

Eduserv Education Cloud: SoftwareVMWare vCloud Compute

o Good fit with vSphere provision.o Provides burst capacity at times of high demand.

File/object storage

vCloud Directoro vCloud REST APIs.

Eduserv Cloud Portalo Billing, usage etc.

Virtual Organisation

vCloud Architecture

Virtual Datacentre (vDC)

vApp

vApp

vApp

Virtual Datacentre (vDC)

vApp

vApp

vApp

CatalogvApp Template

vApp Template

ISO media

Network

NetworkUsers + groups

Public Catalog

vApp Template

vApp Template

ISO media

vApps

Package of multiple VMs (as an OVF).How VMs connect to the network(s).Boot sequence.vApp networkso NATed, firewalled.o May be fenced.

vAppVM VM VM VM

Network

Virtual Organisation

vCloud Director Eduserv Education Cloud Web Portal

vCloud API

Federated SSO via UKAMF

…Virtual Organisation Virtual Organisation

3rd party applications

Moonshot

JANET-led project.

Federated access to any application.

Builds on eduroam technologieso RADIUS for federated authentication.o EAP for mutual authentication.

Integrates with standard OS security APIso GSS-API (RFC 2078 – Other OS).o SASL (RFC 4422 – Windows + Other OS).o SSPI (Windows).

11

SSH client SSH server RADIUS server

(2) SSH negotiation (4) RADIUS

(3) Authentication

(1) Credentialing

(5) Attributes(6) SSH session

OpenSSH used as example of application; many others also apply

SSH using Moonshot

Moonshot on Education Cloud

Deploy Moonshot-ready appliances.Linux server as an example

o CentOS 6.2.oMoonshot-enabled SSHD.

Moonshot on Education Cloud

Automatic allocation of ‘local’ Linux users.NSS module

o Automatic user/group allocation.PAM module

o Auditing.moonbind daemon.

vApp

VM

PAM module

NSS module

moonbind

Education Cloud Portal

User/group allocation

SSHD RADIUSserver

SAML

user + group(s)

Virtual Organisation

Education Cloud Portal

Guest customisation

vApp Instantiation

vApp

VM VM VM VM

CatalogvApp Template

vApp Template

ISO media

Network configurationCustom script(s)Configure moonbind

Future work

Proper authorisation.Integration with vApp OVF descriptor.Integration with file/object storage

o Via WebDAV.

Windows/ExchangePaaS

o Cloud Foundry.

www.eduserv.org.uk @eduservdavid.orrell@eduserv.org.uk

Thanks to…

Eduserv colleaguesAndy Powell, Richard Annett, Charlie Llewellyn, Tim Lawrence

JANET

Education Cloud blog + further information

http://support.cloud.eduserv.org.uk