openstack team mailing list archive

Thread
Date
Re: AuthN/AuthZ

To: Adam Young <ayoung@xxxxxxxxxx>
From: Aaron Knister <aaron.knister@xxxxxxxxx>
Date: Mon, 20 May 2013 18:17:14 -0400
Cc: openstack <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <519A31BB.8050606@redhat.com>
Thanks Adam. I don't think I asked the right question. I'm wondering how I
get horizon to use the external auth when keystone is running behind apache.


On Mon, May 20, 2013 at 10:22 AM, Adam Young <ayoung@xxxxxxxxxx> wrote:

>  On 05/16/2013 11:29 AM, Aaron Knister wrote:
>
>  Thanks Adam. I was able to get that far after a *lot* of headache. AD's
> typical schema doesn't map to what OpenStack is expecting, particularly as
> far as the domain_id attribute is concerned.
>
>
> Sorry about that.  I am not too fond of our Domain_id thing either, and
> working to rectify:
>
>
>
>
>  When running Keystone under Apache HTTPD how does one use horizon?
>
>
> No change.  You can report ports other that 5000/35357 for Keystone's
> service catalog  if you want to have Keystone serve on 443.  Or, you can
> have apache listen on the usual keystone ports.  You will want Keystone on
> a separate machine from Horizon.
>
>
>
>
> On Wed, May 15, 2013 at 3:57 PM, Adam Young <ayoung@xxxxxxxxxx> wrote:
>
>>  Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk
>> to AD.
>>
>>
>>
>> On 05/14/2013 06:11 PM, Aaron Knister wrote:
>>
>>   *bump*
>>
>>  Here's the tl;dr version:
>>
>> - How have other folks handled integration of OpenStack with existing
>> authN/authZ infrastructures? I'm particularly interested in the automatic
>> mapping of existing LDAP groups to roles/tenants within openstack.
>> - Are there plans to add support for the auth plugins to the *client
>> modules and CLI tools going forward? I'd be interested in contributing this
>> if it's on the roadmap and hasn't been done yet.
>> - Are there plans to add support for auth plugins/external au th to
>> Horizon? As above, I'm interested in implementing this if there's interest.
>>  - I see vague references in the documentation/*client code to using
>> certificates for authentication (without the need for httpd external
>> authentication) which would also eliminate the credentials-in-environment-
>> variables issue. Is using PKI for authentication going to be supported?
>> If so what's the status?
>>
>>  Am I perhaps posting this to the wrong list? I didn't get any replies
>> from my original post.
>>
>>  Thanks!
>>
>> -Aaron
>>
>>
>>
>> On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knister@xxxxxxxxx>wrote:
>>
>>>     Hi Everyone,
>>>
>>>  I'm looking for feedback and input about what other sites are doing for
>>> authentication and authorization with OpenStack.
>>>
>>>  First, some background:
>>>
>>>  I'm currently evaluating OpenStack (Grizzly), specifically working on
>>> integration with Active Directory. I'm unable to modify the schema to allow
>>> groupOfNames as a SUP of organizationalRole so I've implemented a
>>> workaround using openldap and several of its overlays backends to sit in
>>> front of AD. That all works just fine, however I really would like to be
>>> able to map AD groups to roles/tenants. I suspect I'll end up writing some
>>> code to do this-- shouldn't be too hard.
>>>
>>>  Also on the subject of Active Directory, it's a show stopper for me to
>>> put un-encrypted AD credentials in environment variables to then pass to
>>> the various openstack CLI progs. My ideal workaround would be to use
>>> Kerberos authentication which I actually have working. I setup keystone to
>>> run under apache based on this documentation with some tweaks here and
>>> there:
>>>
>>> http://docs.openstack.org/developer/keystone/external-auth.html
>>>
>>>  I created an openstack client auth plugin (based on the VOMS auth
>>> plugin) using requests_kerberos and this works well with the nova client,
>>> however none of the other client tools, including horizon, seem to support
>>> authentication plugins or the external authentication concept in general.
>>>
>>>  So, here are my questions:
>>>
>>>  - How have other folks handled integration of OpenStack with existing
>>> authN/authZ infrastructures? I'm particularly interested in the automatic
>>> mapping of existing LDAP groups to roles/tenants within openstack.
>>>  - Are there plans to add support for the auth plugins to the *client
>>> modules and CLI tools going forward? I'd be interested in contributing this
>>> if it's on the roadmap and hasn't been done yet.
>>>  - Are there plans to add support for auth plugins/external au th to
>>> Horizon? As above, I'm interested in implementing this if there's interest.
>>>  - I see vague references in the documentation/*client code to using
>>> certificates for authentication (without the need for httpd external
>>> authentication) which would also eliminate the
>>> credentials-in-environment-variables issue. Is using PKI for authentication
>>> going to be supported? If so what's the status?
>>>
>>>  Thanks in advance!
>>>
>>> -Aaron
>>>
>>
>>
>>
>>  _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
References

AuthN/AuthZ
From: Aaron Knister, 2013-05-07
Re: AuthN/AuthZ
From: Aaron Knister, 2013-05-14
Re: AuthN/AuthZ
From: Adam Young, 2013-05-15
Re: AuthN/AuthZ
From: Aaron Knister, 2013-05-16
Re: AuthN/AuthZ
From: Adam Young, 2013-05-20