← Back to team overview

openstack team mailing list archive

Re: AuthN/AuthZ

 

Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk to AD.


On 05/14/2013 06:11 PM, Aaron Knister wrote:
*bump*

Here's the tl;dr version:

- How have other folks handled integration of OpenStack with existing authN/authZ infrastructures? I'm particularly interested in the automatic mapping of existing LDAP groups to roles/tenants within openstack. - Are there plans to add support for the auth plugins to the *client modules and CLI tools going forward? I'd be interested in contributing this if it's on the roadmap and hasn't been done yet. - Are there plans to add support for auth plugins/external au th to Horizon? As above, I'm interested in implementing this if there's interest. - I see vague references in the documentation/*client code to using certificates for authentication (without the need for httpd external authentication) which would also eliminate the credentials-in-environment- variables issue. Is using PKI for authentication going to be supported? If so what's the status?

Am I perhaps posting this to the wrong list? I didn't get any replies from my original post.

Thanks!

-Aaron



On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knister@xxxxxxxxx <mailto:aaron.knister@xxxxxxxxx>> wrote:

    Hi Everyone,

    I'm looking for feedback and input about what other sites are
    doing for authentication and authorization with OpenStack.

    First, some background:

    I'm currently evaluating OpenStack (Grizzly), specifically working
    on integration with Active Directory. I'm unable to modify the
    schema to allow groupOfNames as a SUP of organizationalRole so
    I've implemented a workaround using openldap and several of its
    overlays backends to sit in front of AD. That all works just fine,
    however I really would like to be able to map AD groups to
    roles/tenants. I suspect I'll end up writing some code to do
    this-- shouldn't be too hard.

    Also on the subject of Active Directory, it's a show stopper for
    me to put un-encrypted AD credentials in environment variables to
    then pass to the various openstack CLI progs. My ideal workaround
    would be to use Kerberos authentication which I actually have
    working. I setup keystone to run under apache based on this
    documentation with some tweaks here and there:

    http://docs.openstack.org/developer/keystone/external-auth.html

    I created an openstack client auth plugin (based on the VOMS auth
    plugin) using requests_kerberos and this works well with the nova
    client, however none of the other client tools, including horizon,
    seem to support authentication plugins or the external
    authentication concept in general.

    So, here are my questions:

    - How have other folks handled integration of OpenStack with
    existing authN/authZ infrastructures? I'm particularly interested
    in the automatic mapping of existing LDAP groups to roles/tenants
    within openstack.
    - Are there plans to add support for the auth plugins to the
    *client modules and CLI tools going forward? I'd be interested in
    contributing this if it's on the roadmap and hasn't been done yet.
    - Are there plans to add support for auth plugins/external au th
    to Horizon? As above, I'm interested in implementing this if
    there's interest.
    - I see vague references in the documentation/*client code to
    using certificates for authentication (without the need for httpd
    external authentication) which would also eliminate the
    credentials-in-environment-variables issue. Is using PKI for
    authentication going to be supported? If so what's the status?

    Thanks in advance!

    -Aaron




_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Follow ups

References