*bump*
Here's the tl;dr version:
- How have other folks handled integration of OpenStack with
existing authN/authZ infrastructures? I'm particularly interested
in the automatic mapping of existing LDAP groups to roles/tenants
within openstack.
- Are there plans to add support for the auth plugins to the
*client modules and CLI tools going forward? I'd be interested in
contributing this if it's on the roadmap and hasn't been done yet.
- Are there plans to add support for auth plugins/external au th
to Horizon? As above, I'm interested in implementing this if
there's interest.
- I see vague references in the documentation/*client code to
using certificates for authentication (without the need for httpd
external authentication) which would also eliminate the
credentials-in-environment-
variables issue. Is using PKI for authentication going to be
supported? If so what's the status?
Am I perhaps posting this to the wrong list? I didn't get any
replies from my original post.
Thanks!
-Aaron
On Tue, May 7, 2013 at 1:52 PM, Aaron Knister
<aaron.knister@xxxxxxxxx <mailto:aaron.knister@xxxxxxxxx>> wrote:
Hi Everyone,
I'm looking for feedback and input about what other sites are
doing for authentication and authorization with OpenStack.
First, some background:
I'm currently evaluating OpenStack (Grizzly), specifically
working on integration with Active Directory. I'm unable to
modify the schema to allow groupOfNames as a SUP of
organizationalRole so I've implemented a workaround using
openldap and several of its overlays backends to sit in front
of AD. That all works just fine, however I really would like
to be able to map AD groups to roles/tenants. I suspect I'll
end up writing some code to do this-- shouldn't be too hard.
Also on the subject of Active Directory, it's a show stopper
for me to put un-encrypted AD credentials in environment
variables to then pass to the various openstack CLI progs. My
ideal workaround would be to use Kerberos authentication
which I actually have working. I setup keystone to run under
apache based on this documentation with some tweaks here and
there:
http://docs.openstack.org/developer/keystone/external-auth.html
I created an openstack client auth plugin (based on the VOMS
auth plugin) using requests_kerberos and this works well with
the nova client, however none of the other client tools,
including horizon, seem to support authentication plugins or
the external authentication concept in general.
So, here are my questions:
- How have other folks handled integration of OpenStack with
existing authN/authZ infrastructures? I'm particularly
interested in the automatic mapping of existing LDAP groups
to roles/tenants within openstack.
- Are there plans to add support for the auth plugins to the
*client modules and CLI tools going forward? I'd be
interested in contributing this if it's on the roadmap and
hasn't been done yet.
- Are there plans to add support for auth plugins/external au
th to Horizon? As above, I'm interested in implementing this
if there's interest.
- I see vague references in the documentation/*client code to
using certificates for authentication (without the need for
httpd external authentication) which would also eliminate the
credentials-in-environment-variables issue. Is using PKI for
authentication going to be supported? If so what's the status?
Thanks in advance!
-Aaron
_______________________________________________
Mailing list:https://launchpad.net/~openstack <https://launchpad.net/%7Eopenstack>
Post to :openstack@xxxxxxxxxxxxxxxxxxx <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Unsubscribe :https://launchpad.net/~openstack <https://launchpad.net/%7Eopenstack>
More help :https://help.launchpad.net/ListHelp
