DescriptionMulti-tenancy is an aspect of Identity Management (IdM) where multiple parties use the same resource without learn any information about each other. The example is two rival companies who both operate servers hosted in a public cloud. Neither company should be aware of the existance of the other users presence in the web using, and they definitely should not be able to enumerate either the users or the hosts of the other company due to information leaks inside the cloud services.
The entities stored under each tenant have a relatively high likelihood of reusing the same names. User names and group names are often have a high number of names that are commonly used. For example, both companies might have someone with the user name of asmith and a group named developers. However, in the first company, asmith has a UID of 512 and developers has a GID of 2100, but in the other company asmith has a UID of 87687 and developers has a GID of 6332. Both need to exist in the IdM server and be distinguishable from the other.
IPA StatusIPA currently has a completely flat data model. All data is store in two subtrees: one for the IPA user and host database, and one for the PKI CA. The kerberos server would only server out tickets for a single domain. The Directory server has the vast majority of its data open read only available to anonymous binds. The user Admin has full control over the entire set of entites in the system.
IPA stores the data it manages inside a Directory Server (389) instance in a subtree that, by default, mirrors the hostname of the server. Thus the server ipa.example.com would store in the subtree cn=ipa,cn=example,cn=com. The layout of this subtree will be referred to as the current schema. The instance of the subtree itself will be referred to as the current baseDN.
In addition, each IPA server manages a Kerberos Realm. By default the name of the realm matches the domain name, but in all capitals. The zone example.com would have a corresponding realm EXAMPLE.COM.
Required ChangesThese are the changes necessary to the FreeIPA server to support a cloud deployment and multi-tenancy.
Directory ServerEach tenant in the cloud would get their own subtree. It would get a BaseDN of the form:cn={TENANT},cn=tenants,$suffix. This subtree would have a copy of the current schema. The initial (undeletable) suffix is used for the cloud provider. These subtrees will be referred to as tenant trees.
When performing an action in the IPA server, the user is identified by their principal, which contains the Kerberos Realm name. This can be used to distinguish which domain, and by extension, which subtree, the action should use for data. Operations are limited to the current zone. Cloud administrators will need the ability to override this in order to perform maintenance operations on the tenants.
The directory will no longer be world readable. Instead, ACIs will limit the users ability to read only the subtree in which they are enrolled. LDAP operations will require an authenticated bind.
When updating IPA, schema changes need to be applied to each of the the tenant trees.
APIEach of the RPCs need to allow an optional parameter tenant. Members of the original domain with an approapriate Permission will be able to perform operations inside the tenant specified.
BaseLDAP pluginInstead of just reading the BaseDN out of the configuration file, the base DN needs to be calculated based on the Kerberos principal of the calling user. This value should be cached in the WSGI application so that it does not always require multiple round trips to the LDAP server.
KerberosEach tenant would get its own Kerberos Realm, but each would trust the Cloud Provider's realm. The httpd/mod_auth_kerberos needs to be capable of accepting new realms. When adding a new tenant, we might need to update krb5.conf on the IPA server to know about the new realm.
DNSThe BIND DynDB back end code would need to be extended to read zone information from multiple subtrees in order to read the DNS entires in the tenant trees.
It is also possible to keep the current approach, and then add the ability to identify which users and tenants can manage and control DNS entries. The simpler solution is to modify BIND Dyn DB.
CAWe would continue to have only one CA, and have IPA submit all Certificate requests as a single Agent. The IPA server will ensure that a user can only request certificates for entities within their own subtree.
IPA-CLIENTWhen enrolling a host, the principal used to authenticate with the IPA server will determine which subtree will hold host. This involves changing the LDAP configuration information in the following client components: SSSD, nss_ldap, and Kerberos.
multitenancy-0.0.0.odt
Description: application/vnd.oasis.opendocument.text
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
