April 17, 2014 | Written by: Brad Topol
Share this post:
This month we reach another outstanding milestone for open cloud standards as we celebrate the latest release of OpenStack: Icehouse.
The OpenStack ecosystem continues to experience explosive growth. In the previous release of OpenStack we had approximately 850 contributors. In Icehouse, the number of contributors more than doubled to over 2,100. Likewise, IBM maintains committed to the success of OpenStack and has also increased its contributions to OpenStack over previous releases from 86 in the Havana release to 107 in Icehouse. I take great pride in saying that IBM had a large number of contributions that were focused on improving the OpenStack ecosystem for the benefit of the whole OpenStack community and accelerating its growth. I’m excited to have the opportunity to present an early preview of these key contributions to this latest release.
A long desired feature for OpenStack’s Keystone project has been to add Federated Identity support, so users that exist on an external Identity Provider can interact with OpenStack. In the latest release of OpenStack, IBM contributors collaborated with contributors from Rackspace, CERN, University of Kent, and Red Hat to deliver an initial implementation of Federated Identity support. The new Federated Identity extension allows OpenStack to consume SAML assertions from identity providers, and allows for mapping of federated attributes into OpenStack group-based role assignments.
(Related: Angel Luis Diaz explains why OpenStack “crushed it” with Icehouse)
With these features, customers can now leverage the federated identity capabilities they rely on in the enterprise to support seamless integration with their OpenStack environments.
Also in support of enhanced security, a critical feature of any Cloud infrastructure is the ability to provide auditing capabilities for compliance with security, operational and business processes. IBM contributors have been adding cloud auditing functionality to OpenStack projects to support API and security auditing using the DMTF Cloud Auditing Data Federation (CADF) standard. In the Icehouse release, IBM contributors delivered to the Oslo project a new version of pyCADF library, which is the python implementation of this audit specification. Additionally, the pyCADF library grew to audit more API events in Nova and work began on auditing events beyond Nova, including Keystone, Neutron, and Glance events. OpenStack auditing support that is aligned with an industry standard translates to reuse of common cloud audit tooling as well as interoperability that enables cloud audit data to be more easily federated and combined across multiple cloud infrastructures.
For the widely popular Heat project for orchestration, contributors from IBM helped to shape the HOT software orchestration format as a major new feature for this project and also contributed to the overall stabilization of the new HOT format through refactoring and cleanup of Heat engine code for template validation. In addition, IBM contributors collaborated with Heat core contributors to lead an effort to align the OASIS TOSCA standard for orchestration with OpenStack’s HOT orchestration work. This work resulted in the drafting and publishing of the TOSCA Simple Profile in YAML v1.0 and serves as an excellent example of how the feedback and expertise of hands-on OpenStack developers can dramatically improve the applicability and usefulness of a standards effort. In addition, this alignment effort has enabled IBM contributors to create TOSCA YAML to HOT translation tools that are now available as a StackForge project and these will serve to funnel new workloads from the TOSCA community to Heat. The benefits of this are that these new workloads will help to grow the HOT ecosystem and also will help to unify these two orchestration communities.
In the area of quality assurance, IBM has continued to make significant contributions to the OpenStack integration test suite (Tempest). For this release, IBM contributors added a unit test suite to Tempest because this project has reached a level of complexity that the unit testing added provides real value in both identifying bugs and protecting against regressions. IBM contributors also worked directly with the Neutron team to improve the scale of Neutron testing to bring it up to the same level as most of the other integrated OpenStack projects by adding tenant isolation support to enable tests for Neutron to be run in parallel.
The contributions I reviewed here are just a small sample of the innovations that have been added to OpenStack by IBM in the Icehouse release. It’s important to note that there are many other outstanding contributions in this release by active contributors from other companies. Please join us at the next OpenStack Summit in Atlanta May 12-16 for a much broader view of the advances and improvements in the latest version of OpenStack. I look forward to seeing you in Atlanta!
The following video demonstrates how the CADF auditing support added in the IceHouse OpenStack release by IBM can be leveraged by tools such as IBM QRadar for security threat analysis and reporting.