 Good afternoon, welcome to the session, can you hear me okay, I am Krishna Kumar you can call me KK, I am from Cloud Enablers, the session today is going to be about extending horizon for managing multiple multi-cloud environment, a brief profile about myself I am from Cloud Enablers, one of the co-founders and take care of operations at Cloud Enablers. So at Cloud Enablers we do cloud product development, open stack services and cloud migration. We also have a cloud lab where we explore open stack, the latest versions that keep coming in and also the related products and this session is about one of the tools that we developed in our cloud lab, we called it hybrid horizon where horizon can be extended to use, manage multiple clouds. This is going to be the agenda for the session, I am sure all of you know quite a bit about horizon, I am just going to briefly touch about what is horizon and what do we call a multi-cloud environment, what are the typical tenets of and multi-cloud environment and what tools are available, just a sample list of them and if these tools are available why should we go for a customization of horizon and let's say we decide to go for it, what are the typical requirements or needs that you will have to go about it and a brief demo of the tool that we have developed and an explanation of how exactly we went about doing it and briefly list of related open stack features that enable similar kind of use case and I will definitely save some time for question answers and a note here I am open to share the presentation so if you can leave your email ID or card I can send you the deck so that you can save some space in your mobile phones or tabs and we are also open to share the code if you are interested after the session you can reach out to me and I can do that. Okay, briefly about horizon what it is, it is the self-service portal for open stack it provides you the management functions that you can do for all the open stack services so by default you will have the management functions for compute storage network, glance which is images and identity, the other services as you add it to your open stack setup you will also be able to enable it to be managed from horizon so it horizon provides you the summary of all the resources and the states and you will be able to perform a set of actions on these resources and in terms of technology it is built on Django web framework, Python and from the Icehouse release there has been a lot of movement towards AngularJS as well. A typical multi-cloud environment what does it contain on the top layer you have the users in the enterprise and you have a need to have entitlements for these different users where users might carry different roles and based on the roles they have they should have different kind of access into these infrastructure and as an indicative so you can have one or more public cloud accounts that you have as part of your infrastructure and you would have on-premise infrastructure where you have open stack or other platform private clouds in your environment and I've also shown an option of a cloud brokerage platform which can enable you to have access through a single API and have access to multiple other cloud service providers so that is possible as well and once you have all this infrastructure you would want to perform a set of management functions and orchestration functions. Let's say you want to provision your infrastructure manage the life cycle of them take backups and you will want to set up your scaling rules and do your scaling and scale out you will have to set up the security policies to your monitoring even management log management and all of that management functions have to be performed and you would also want to do orchestration as in doing your auto scaling or you want to have backups set up that keep doing it or in terms of configuration management pushing applications into your permission VMs or let's say patching the latest version of a certain application into your existing infrastructure. So that is a typical multicloud environment let's take that as a new case so typically your horizon sits in any one of these let's say this is one open stack setup and you are the horizon UI by default lets you connect only to the infrastructure in that cloud. So how do you enable horizon to be able to manage all of these different infrastructure is what I'm going to talk about. A brief look at different tools that are available in the market let's say right scale Dell cloud managers scale or scale extreme service mesh. So I've also tried to give details about let's say what type of solutions they are are they SAS or a hosted solution or they also provide on-premise installation or open source. The importance of that is that let's say if they are a SAS solution enterprises might not be interested in giving all their credentials to a SAS provider where you will have to give away all your credentials of your infrastructure which is the only way where you can manage those clouds and let's say they have a limited set of stack in terms of the private cloud platforms that they support you'll not be able to let's say you have a different environment private cloud platform which is not supported by that tool you'll not be able to extend that to it and in terms of public clouds again the same limitation if they don't provide access to something you will not be able to manage that again you'll have to go for a separate UI that the public cloud offers to manage your infrastructure. So why would you want to customize horizon? Simplicity because all your DevOps all of us are very used to horizon and it's a simple infrastructure you will be able to if you're able to extend the same UI and you are able to manage all your clouds it's going to be of great value and in terms of consolidation you don't have to have different your data and resources into different infrastructure that you want to get into and manage you don't have to do context switching where these UI the way they are built it is different and different platforms you'll have to get accustomed to it you'll have to perform one action there and then go to other UI and perform the other action there. So you can avoid all of those and have a single pane of glass just or horizon to manage all of these clouds and you would also be able to customize the UI to suit your enterprise needs and you would be able to have security at the granular level that you can set up and have all of your users and roles managed and and open stack we know that it is designed and built for extensibility and we would very much want to use that and derive value out of it. A brief look at what are the different components in terms of UI components you have dashboards panel groups panels you have tabs workflows data tables and actions that you can perform on them and the software is repository you have the horizon base class which is inherited by the open stack dashboard which is here horizon that you see and use. A brief display of what are the different components in the UI you have dashboards at the top level and you have panel groups the different panels and the other data tables and so on okay. How does the horizon request flow work you will so this is your horizon dashboard when the user logs in the first thing it does is it reaches out to Keystone gets the authentication done the credentials are validated and then the user gets a token and also a service catalog the service catalog lists the different services that the user is authorized to use. So the authentication and authorization is done by identity which is a Keystone and then once you have the token and the service catalog now horizon is able to reach out to any of these services such as NOAA or GLANs or SWIFT to get your actions performed. Now before we get into what was done trying to list down what are the different requirements that you would want to satisfy you would want to be able to manage multiple open stack environments like we saw different private clouds in the same enterprise and you would want to manage multiple clouds where they are private or public even if they are from a different platform and support multiple tenants be able to have granular level of security and you would want to do your own branding for your open stack setup and I'll have a brief demo of the application that we had built okay so let me start from the sign up. So this is the sign in page which is again customized because we wanted a feature for a sign up a tenant should be able to come in and sign up and get a login so the sign up feature which is not available by default we had to include that and have our own branding on that so if you use the sign up you have the regular sign up process where you get an email activation and then once you activate you'll be able to login let me log into one of the accounts okay so these are the four different platforms that we started supporting Amazon CNext stands for compute next which is a cloud brokerage platform that I talked about and HP cloud which is enabled from which is from the open stack platform anyway and my open stack as a platform where you can support multiple open stack platforms as well so these are the platforms and I will be able to add multiple clouds here by clicking on any of these platforms for example if I would like to add an open stack platform to my and it has been added as another cloud so these are the different clouds that we are able to now manage from resort now and you can see that you have all of those available as dashboards for example each of these clouds here will have a separate dashboard here so you can see this is the regular UI where you are able to have the in terms of open stack you can manage all your regular panels including the instances volumes images security network and all of that and very similar to that you also have AWS listed as one of the dashboards where you are able to manage the AWS instances and resources as well and this is the dashboard for compute next and HP cloud so you are able to get all of these as individual dash dashboards into the same horizon where you can start managing it and the other features is once you are the first person who signs up is the tenant admin by default and he would be able to add new users and assigned roles to them and in the roles we are able to create roles and also edit the policies for the roles for example these are the different policies that you can give and you can also specify different access policies for different clouds as well for example in HP the user can perform only certain actions in different cloud let's say the open stack user can perform a set of actions so you will be able to set access at the granular level say you want to launch an instance in your AWS account you can do it right from here and let me also quickly show you another this is my HP cloud account where I am showing the there is one volume I can quickly create a volume snapshot just as an use case and so this is your AWS where you can launch an instance right from here select an availability zone in AMI and select one of your images and just launch an instance likewise switching on to HP I want to create a switching here we did so we can see that in the HP cloud dashboard we are able to see the snapshot created and same thing you see it here as well switch back to the presentation so what we did we made changes to the branding that I believe everyone knows that you can go to the static files and change your logos and styles and once you have your branding done then we created a custom login page with a sign up feature and we changed that as the default login page which the user will hit I will show you a brief code snippet of how it was done and like I said I am also open to share the code if you are interested and we built a custom layer that will perform the authorization authentication and authorization so this custom layer it was built as a dashboard and so that layer will talk to our own MongoDB database which will take care of the authentication and the authorization so all these roles and users that I showed get stored in a MongoDB database which is performing this out and out and so now that we have our own custom layer we should bypass the identity service from doing the authentication authorization so that is what we did so for the admin users we removed the access to the admin dashboard so and then for the regular users we went into the project dashboard and then removed authorization for all the different actions and we added our own custom authorizations for each of those actions so this has to be done for each platform again we inherited the open stack dashboard made our own changes in these each of the panels and the table files where we went in and changed the authorization added a step to go into our own authorization before it reaches out to the services so for let's say for AWS or CNex for HP we created a new dashboard and we also did an integration with the platform APIs so for AWS you can do it with the Boto APIs and for compute next they have their own APIs that they expose and we integrated with those platform APIs and we registered those dashboards into the installed apps which enabled us to do that and we created that managed dashboard which I just showed you which will manage the users roles which will talk to our MongoDB database in the background and we created a page which will help in switching between accounts which are from the same platform for example in this case in open stack I have two accounts and if the user would like to switch between those two accounts he'll be able to go for changing this account and manage that specific account so that you don't have so for a given platform you would only have one dashboard but if you go there you'll be able to switch the account and manage the different account from there and few code snippets which show that in the URL spy we added this the page for the sign up and you can see that the authentication which directly goes to the open stack auth we bypassed it to our own URL and we also added one for the sign up and this is where the default home page which goes to the horizon dashboard the default home page we bypassed it and created our own the where you see all the clouds listed we changed it there and these are the different dashboards that we created one for Amazon one for HP cloud one for compute next and so on okay so the related features in open stack that enable a similar kind of a use case identity federation there has been lot of discussions around it we even had a discussion around it in the keynotes so which enables a federation in and federation out from keystones so basically different the keystones from different open stack setups can talk to each other so you don't have to necessarily have to authenticate yourself into each keystone individually so keystone can be a identity provider and also a service provider so if you log into one of these open stack setup you are automatically able to get your action stand in the other open stack setup as well and the authorization is controlled by the respective domains but you will still be able to authenticate yourself with the identity federation so this is available so the federation a federated in was available right from also ice house and you from kilo you are also able to federate out which is keystone access the identity provider as well and the cascading open stack is still in the blueprint stage where you have a parent child relationship where you have the parent open stack once you authenticate you are able to manage multiple open stack setups which act as children so and within that they also have this concept of or the plan to do it is to replicate the images and also be able to collect the usages from the different individual silometers and aggregate that up to the parent open stack so that is in the so some references there so that's all I had in questions right we'll have to do an upgrade so initially when we did it we did it with ice house so we'll have to upgrade it to you know it might require a day's effort or so just to ensure it works with the new version as well yes we did but we have not done that yet with the identity federation it it kinds of looks like as if we are the problem is solved partially but yes we are open to open source it and upstream it yes yes how do you get the keystone yes no we don't because the authentication page itself has been changed so it's our own custom page and that sends the authentication to our layer so it does not go to keystone at all right so we kind of mimic that so the authorization again is handled by the roles and the policies that we set so once we do that our layer gives you the service catalog which is again used for so we kind of commented out everything that is going to keystone and added a line or a layer that goes to our layer so basically keystone is bypassed yes that we again it has to go through let's say AWS or compute next so that we'll have to get a token and start doing it so that is the API integration that we have done it is like building a connector to that platform and then we start doing the interaction yes so it's done once and then yes correct correct yes correct layer mm-hmm correct I'll have to create a new dashboard implement integration with that platforms APIs and then added to the applications that we support yes correct mm-hmm not able to recollect any specific challenge though but these platforms that we enabled we are able to manage it without issues yes you can like I said I'm open to share the source code so we can I'll get your email ID reach out to me and yes right now it is not yes but like I said I'm open to share it yes yes we store that in the MongoDB that we created yes yes yes so the question is about keystone Federation alone or in terms of integrate okay so with this tool the requirement for the Federation is not there because we are going to manage that authentication or authorization but in terms of having an Federation underlying this layer we are exploring that because kilo we have installed that in our open stack in our lab and we are exploring that as we haven't done that yet the correct we have not explored that yet for the questions the native APIs yes they have so the clouds that we add because the user provides us the endpoint and the access details so the same thing they can use it to directly access those clouds it is only the UI that we are providing they would they would authenticate against keystone if they are going through the APIs they would be directly authenticating with the keystone related topic where where we are now decoupling heat and we are able to orchestrate across multiple platforms that is another product that our team has built and we have a related talk about it tomorrow so if you are interested you can attend that and for any further questions I'll get back to you so these are my contact details and you can also reach out to me if you need the presentation or the code yes sir this orchestration product I have not explored it sure we'll do that okay there are no further questions thank you so much for your time