openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #23685
Re: AuthN/AuthZ
*bump*
Here's the tl;dr version:
- How have other folks handled integration of OpenStack with existing
authN/authZ infrastructures? I'm particularly interested in the automatic
mapping of existing LDAP groups to roles/tenants within openstack.
- Are there plans to add support for the auth plugins to the *client
modules and CLI tools going forward? I'd be interested in contributing this
if it's on the roadmap and hasn't been done yet.
- Are there plans to add support for auth plugins/external au th to
Horizon? As above, I'm interested in implementing this if there's interest.
- I see vague references in the documentation/*client code to using
certificates for authentication (without the need for httpd external
authentication) which would also eliminate the credentials-in-environment-
variables issue. Is using PKI for authentication going to be supported? If
so what's the status?
Am I perhaps posting this to the wrong list? I didn't get any replies from
my original post.
Thanks!
-Aaron
On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knister@xxxxxxxxx>wrote:
> Hi Everyone,
>
> I'm looking for feedback and input about what other sites are doing for
> authentication and authorization with OpenStack.
>
> First, some background:
>
> I'm currently evaluating OpenStack (Grizzly), specifically working on
> integration with Active Directory. I'm unable to modify the schema to allow
> groupOfNames as a SUP of organizationalRole so I've implemented a
> workaround using openldap and several of its overlays backends to sit in
> front of AD. That all works just fine, however I really would like to be
> able to map AD groups to roles/tenants. I suspect I'll end up writing some
> code to do this-- shouldn't be too hard.
>
> Also on the subject of Active Directory, it's a show stopper for me to put
> un-encrypted AD credentials in environment variables to then pass to the
> various openstack CLI progs. My ideal workaround would be to use Kerberos
> authentication which I actually have working. I setup keystone to run under
> apache based on this documentation with some tweaks here and there:
>
> http://docs.openstack.org/developer/keystone/external-auth.html
>
> I created an openstack client auth plugin (based on the VOMS auth plugin)
> using requests_kerberos and this works well with the nova client, however
> none of the other client tools, including horizon, seem to support
> authentication plugins or the external authentication concept in general.
>
> So, here are my questions:
>
> - How have other folks handled integration of OpenStack with existing
> authN/authZ infrastructures? I'm particularly interested in the automatic
> mapping of existing LDAP groups to roles/tenants within openstack.
> - Are there plans to add support for the auth plugins to the *client
> modules and CLI tools going forward? I'd be interested in contributing this
> if it's on the roadmap and hasn't been done yet.
> - Are there plans to add support for auth plugins/external au th to
> Horizon? As above, I'm interested in implementing this if there's interest.
> - I see vague references in the documentation/*client code to using
> certificates for authentication (without the need for httpd external
> authentication) which would also eliminate the
> credentials-in-environment-variables issue. Is using PKI for authentication
> going to be supported? If so what's the status?
>
> Thanks in advance!
>
> -Aaron
>
Follow ups
References