Domain-Level Trusts

Similar to the concept of account in Amazon AWS, domain is a concept introduced to provide administrative boundaries for users, groups, and projects (AWS doesn’t support projects currently). Domain is already supported in Keystone v3 and is going to be a critical feature in OpenStack. Domains are like rooms in a big house which is compared to the OpenStack installation. Currently, we are building walls between domains but we also need doors or windows for cross-domain accesses which of course needs to be secure. We propose domain-level trusts, comparing to trusts between accounts in AWS, in order to enable secure cross-domain access control.

Domain-level trusts are defined by domain admins which is also an important component of this blueprint. Both of the trustor and the trustee of a trust relation are domains who are willing to share their own resources (users, groups, or projects) in the direction specified by the trust relation. Unlike user-level trusts which focus on delegations, domain-level trusts extend the feasibility by including domain features. More importantly, the management of collaborative accesses are more centralized and controllable to the domain admin. In this way, collaborations between domains are enabled flexibly and securely.

A use case is our-sourcing. For example, the owner of domain A wants to out-source part of the development to a company who owns domain B in the same cloud (or federated clouds). If A trusts B then A can see B’s users and assign them to the roles inside A’s projects so that B’s users are authorized to access A’s projects under A’s control. Also, there are various types of trust relations between domains [1] that can be implemented. Adding B’s user in A as a new user or temporary user may be another solution but then the user management will be increasingly complicated.

References:
[1] Bo Tang and Ravi Sandhu, Cross-Tenant Trust Models in Cloud Computing. In Proceedings 14th IEEE Conference on Information Reuse and Integration (IRI), San Francisco, California, August 14-16, 2013, pages 129-136.
[2] J. M. A. Calero, N. Edwards, J. Kirschnick, L. Wilcock, and M. Wray. Towards a Multi-tenancy Authorization System for Cloud Services. IEEE Security and Privacy, 8(6):48–55, Nov/Dec 2010.