← Back to team overview

openstack team mailing list archive

Re: AuthN/AuthZ

 

On 05/16/2013 11:29 AM, Aaron Knister wrote:
Thanks Adam. I was able to get that far after a *lot* of headache. AD's typical schema doesn't map to what OpenStack is expecting, particularly as far as the domain_id attribute is concerned.

Sorry about that. I am not too fond of our Domain_id thing either, and working to rectify:



When running Keystone under Apache HTTPD how does one use horizon?

No change. You can report ports other that 5000/35357 for Keystone's service catalog if you want to have Keystone serve on 443. Or, you can have apache listen on the usual keystone ports. You will want Keystone on a separate machine from Horizon.



On Wed, May 15, 2013 at 3:57 PM, Adam Young <ayoung@xxxxxxxxxx <mailto:ayoung@xxxxxxxxxx>> wrote:

    Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to
    talk to AD.



    On 05/14/2013 06:11 PM, Aaron Knister wrote:
    *bump*

    Here's the tl;dr version:

    - How have other folks handled integration of OpenStack with
    existing authN/authZ infrastructures? I'm particularly interested
    in the automatic mapping of existing LDAP groups to roles/tenants
    within openstack.
    - Are there plans to add support for the auth plugins to the
    *client modules and CLI tools going forward? I'd be interested in
    contributing this if it's on the roadmap and hasn't been done yet.
    - Are there plans to add support for auth plugins/external au th
    to Horizon? As above, I'm interested in implementing this if
    there's interest.
    - I see vague references in the documentation/*client code to
    using certificates for authentication (without the need for httpd
    external authentication) which would also eliminate the
    credentials-in-environment-
    variables issue. Is using PKI for authentication going to be
    supported? If so what's the status?

    Am I perhaps posting this to the wrong list? I didn't get any
    replies from my original post.

    Thanks!

    -Aaron



    On Tue, May 7, 2013 at 1:52 PM, Aaron Knister
    <aaron.knister@xxxxxxxxx <mailto:aaron.knister@xxxxxxxxx>> wrote:

        Hi Everyone,

        I'm looking for feedback and input about what other sites are
        doing for authentication and authorization with OpenStack.

        First, some background:

        I'm currently evaluating OpenStack (Grizzly), specifically
        working on integration with Active Directory. I'm unable to
        modify the schema to allow groupOfNames as a SUP of
        organizationalRole so I've implemented a workaround using
        openldap and several of its overlays backends to sit in front
        of AD. That all works just fine, however I really would like
        to be able to map AD groups to roles/tenants. I suspect I'll
        end up writing some code to do this-- shouldn't be too hard.

        Also on the subject of Active Directory, it's a show stopper
        for me to put un-encrypted AD credentials in environment
        variables to then pass to the various openstack CLI progs. My
        ideal workaround would be to use Kerberos authentication
        which I actually have working. I setup keystone to run under
        apache based on this documentation with some tweaks here and
        there:

        http://docs.openstack.org/developer/keystone/external-auth.html

        I created an openstack client auth plugin (based on the VOMS
        auth plugin) using requests_kerberos and this works well with
        the nova client, however none of the other client tools,
        including horizon, seem to support authentication plugins or
        the external authentication concept in general.

        So, here are my questions:

        - How have other folks handled integration of OpenStack with
        existing authN/authZ infrastructures? I'm particularly
        interested in the automatic mapping of existing LDAP groups
        to roles/tenants within openstack.
        - Are there plans to add support for the auth plugins to the
        *client modules and CLI tools going forward? I'd be
        interested in contributing this if it's on the roadmap and
        hasn't been done yet.
        - Are there plans to add support for auth plugins/external au
        th to Horizon? As above, I'm interested in implementing this
        if there's interest.
        - I see vague references in the documentation/*client code to
        using certificates for authentication (without the need for
        httpd external authentication) which would also eliminate the
        credentials-in-environment-variables issue. Is using PKI for
        authentication going to be supported? If so what's the status?

        Thanks in advance!

        -Aaron




    _______________________________________________
    Mailing list:https://launchpad.net/~openstack  <https://launchpad.net/%7Eopenstack>
    Post to     :openstack@xxxxxxxxxxxxxxxxxxx  <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
    Unsubscribe :https://launchpad.net/~openstack  <https://launchpad.net/%7Eopenstack>
    More help   :https://help.launchpad.net/ListHelp


    _______________________________________________
    Mailing list: https://launchpad.net/~openstack
    <https://launchpad.net/%7Eopenstack>
    Post to     : openstack@xxxxxxxxxxxxxxxxxxx
    <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
    Unsubscribe : https://launchpad.net/~openstack
    <https://launchpad.net/%7Eopenstack>
    More help   : https://help.launchpad.net/ListHelp




Follow ups

References