 Good afternoon and welcome to super user TV first of all Thank you to the two of you for taking the time out of your busy days to come and talk to us Would you just take a minute and tell us who you are and what you do? So my name is Tim Bell and the computer infrastructure manager at CERN the home of the Large Hadron Collider I'm Dolph Matthews. I'm a principal engineer at Rackspace and I've been working on open cycle identity For close to five years now. All right. Excellent. Thank you. So today. We're going to talk about Federation open-stack Federation specifically identity Federation So Dolph, why don't we start with you? What is Federation in general and again in particular identity Federation? So there's a lot of different kinds of Federation Resource Federation and identity Federation, but it's generally some sort of sharing of Something across clouds in our context identity. So for example One cloud can serve as your identity provider cloud and another cloud can consume the identities from that cloud without actually having to authenticate against Have it actually share authentication information. You just actually federate identities across So you have a single source of truth management is centralized And it kind of makes the whole world scale That's a that's a great technical explanation. Thank you. So Tim from the user perspective. Why is that important for you? So an organization like CERN is a worldwide collaboration There are hundreds of labs and universities that use the facilities at CERN to understand the universe and how it works So that means we've got about 11,000 users around 200 people leaving and arriving every month and Managing and tracking all of that at a central source is just not possible We can't know when someone leaves a university or when they start So we do not want them to be able to use resources outside of the period where their universities are collaborating So something like identity Federation where CERN doesn't own that identity But instead it is the institute with which the employment conditions are established is a very powerful model for us That's wonderful. So So now that Federation has been out there in the wild for some time You've just talked about one use case are there other particular use cases out there So one example of a project that we're working on at the moment indigo data cloud is an EU sponsored activity with 26 laboratories and Setting up access to CERN's facilities for testing was able to be done using the identity Federation of the cloud Had we had to do a special solution then potentially we could lose valuable time as part of that collaboration Rather than getting on solving the problems of the project So we use the open-stack identity Federation in order to establish the network of trust so What kind of what kind of challenges have you found when trying to federate across multiple open-stack clouds So there's all kinds of Maintenance challenges and operator challenges it's In my book being a developer it's still early technology we still have a lot to do in terms of easing the operator experience and Making the end user experience a lot smoother So all the way through the command line clients. We have a lot of work to do horizon we still have a lot of work to do we want to make it easier for Operators and actually end users to set up their own federations You know in horizon So here's my certificates trust my identity provider and you know, I could have some public cloud trusting my private IDP and I'm really excited about it And from our side what we find is that when we establish that into Federation it's actually only part of the problem After that you get into the questions of policy Okay, you are authenticated you are who you say you are but maybe CERN does not want to trust the Google identity as highly as for Example an authorized university Should people have to sign computing rule policies? Are they allowed to earn resources? This kind of policy question comes along along with the technical implementations for a Federation such as the CERN How did you wind up solving that? So a lot of it is a question of discussing establishing a workflow So that before people are added and given roles within the organization Then they go through an approval and a validation process along with the process under which we can go back to their Organization and say excuse me there's been a problem. Can we work out how to resolve this? And I think that's the policy side that shouldn't be ignored along with the technical implementations so Are there other particular lessons learned that other people should keep in mind when they're trying to set this up So I think the other aspect of it is a question of trying to make things so it's relatively user friendly It can be quite daunting for an average user to understand what is Federation So therefore it's important you give people things like sticky log-on screens So they don't have to go back and search through 200 organizations each time you want to log in and Finding a place that the end user experience is one that can be done without documentation has certainly been an interesting part of the activity So so what else is open-stack doing to make Cloud Federation easier? At this summit we're actually working on Shatter users kind of first and foremost Shatter users will enable us to treat federated users as if they're local and so we can manage authorization locally within the consuming cloud Just as if you were a local user stored in SQL or perhaps all that for whatever And so it's actually going to unify our Authentication authorization model across open-stack and simplify a lot of code paths that right now are very complicated So we're hoping to gain some stability out of that as well Is there anything else in the review want to add? So one of the aspects that we've really appreciated has been the open-stack combined client Which has really helped us to provide a very consistent experience for the end user and also include support for keystone v3 Which needs to be done for Federation So I think the work that's being done there on the upstream unification of those functions is really helpful because it also brings online Federation as part of that as an automatic plug-in Excellent so great keystone v3 Well, thank you both very much and I appreciate your time and we hope you enjoy the rest of the summit Thank you