aceec15371
Better follow conventions, especially: * remove Latinism like via and i.e. * use variable lists * Add missing <filename> * wrap long lines Change-Id: I2a537df78ddf4fbeb127b058bf05caaf42441d5f
67 lines
3.3 KiB
XML
67 lines
3.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<chapter xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
version="5.0"
|
|
xml:id="ch028_case-studies-identity-management">
|
|
<?dbhtml stop-chunking?>
|
|
<title>Case studies: Identity management</title>
|
|
<para>
|
|
In this case study we discuss how Alice and Bob would address
|
|
configuration of OpenStack core services. These include the
|
|
Identity service, dashboard, and Compute services. Alice will be
|
|
concerned with integration into the existing government
|
|
directory services, while Bob will need to provide access to the
|
|
public.
|
|
</para>
|
|
<section xml:id="ch028_case-studies-identity-management-idp87424">
|
|
<title>Alice's private cloud</title>
|
|
<para>
|
|
Alice's enterprise has a well-established directory service
|
|
with two-factor authentication for all users. She configures
|
|
the Identity service to support an external authentication
|
|
service supporting authentication with government-issued
|
|
access cards. She also uses an external LDAP server to provide
|
|
role information for the users that is integrated with the
|
|
access control policy. Due to FedRAMP compliance requirements,
|
|
Alice implements two-factor authentication on the management
|
|
network for all administrator access.
|
|
</para>
|
|
<para>
|
|
Alice also deploys the dashboard to manage many aspects of the
|
|
cloud. She deploys the dashboard with HSTS to ensure that only
|
|
HTTPS is used. The dashboard resides within an internal
|
|
subdomain of the private network domain name system.
|
|
</para>
|
|
<para>
|
|
Alice decides to use SPICE instead of VNC for the virtual
|
|
console. She wants to take advantage of the emerging
|
|
capabilities in SPICE.
|
|
</para>
|
|
</section>
|
|
<section xml:id="ch028_case-studies-identity-management-idp131936">
|
|
<title>Bob's public cloud</title>
|
|
<para>
|
|
Because Bob must support authentication for the general
|
|
public, he decides to use use user name and password
|
|
authentication. He has concerns about brute force attacks
|
|
attempting to crack user passwords, so he also uses an
|
|
external authentication extension that throttles the number of
|
|
failed login attempts. Bob's management network is separate
|
|
from the other networks within his cloud, but can be reached
|
|
from his corporate network through ssh. As recommended
|
|
earlier, Bob requires administrators to use two-factor
|
|
authentication on the Management network to reduce the risk
|
|
from compromised administrator passwords.</para>
|
|
<para>Bob also deploys the dashboard to manage many aspects of
|
|
the cloud. He deploys the dashboard with HSTS to ensure that
|
|
only HTTPS is used. He has ensured that the dashboard is
|
|
deployed on a second-level domain due to the limitations of the
|
|
same-origin policy. He also disables
|
|
<option>HORIZON_IMAGES_ALLOW_UPLOAD</option> to prevent resource
|
|
exhaustion.</para>
|
|
<para>Bob decides to use VNC for his virtual console for its
|
|
maturity and security features.</para>
|
|
</section>
|
|
</chapter>
|