openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #23840
Re: AuthN/AuthZ
Thanks Adam. I don't think I asked the right question. I'm wondering how I
get horizon to use the external auth when keystone is running behind apache.
On Mon, May 20, 2013 at 10:22 AM, Adam Young <ayoung@xxxxxxxxxx> wrote:
> On 05/16/2013 11:29 AM, Aaron Knister wrote:
>
> Thanks Adam. I was able to get that far after a *lot* of headache. AD's
> typical schema doesn't map to what OpenStack is expecting, particularly as
> far as the domain_id attribute is concerned.
>
>
> Sorry about that. I am not too fond of our Domain_id thing either, and
> working to rectify:
>
>
>
>
> When running Keystone under Apache HTTPD how does one use horizon?
>
>
> No change. You can report ports other that 5000/35357 for Keystone's
> service catalog if you want to have Keystone serve on 443. Or, you can
> have apache listen on the usual keystone ports. You will want Keystone on
> a separate machine from Horizon.
>
>
>
>
> On Wed, May 15, 2013 at 3:57 PM, Adam Young <ayoung@xxxxxxxxxx> wrote:
>
>> Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk
>> to AD.
>>
>>
>>
>> On 05/14/2013 06:11 PM, Aaron Knister wrote:
>>
>> *bump*
>>
>> Here's the tl;dr version:
>>
>> - How have other folks handled integration of OpenStack with existing
>> authN/authZ infrastructures? I'm particularly interested in the automatic
>> mapping of existing LDAP groups to roles/tenants within openstack.
>> - Are there plans to add support for the auth plugins to the *client
>> modules and CLI tools going forward? I'd be interested in contributing this
>> if it's on the roadmap and hasn't been done yet.
>> - Are there plans to add support for auth plugins/external au th to
>> Horizon? As above, I'm interested in implementing this if there's interest.
>> - I see vague references in the documentation/*client code to using
>> certificates for authentication (without the need for httpd external
>> authentication) which would also eliminate the credentials-in-environment-
>> variables issue. Is using PKI for authentication going to be supported?
>> If so what's the status?
>>
>> Am I perhaps posting this to the wrong list? I didn't get any replies
>> from my original post.
>>
>> Thanks!
>>
>> -Aaron
>>
>>
>>
>> On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knister@xxxxxxxxx>wrote:
>>
>>> Hi Everyone,
>>>
>>> I'm looking for feedback and input about what other sites are doing for
>>> authentication and authorization with OpenStack.
>>>
>>> First, some background:
>>>
>>> I'm currently evaluating OpenStack (Grizzly), specifically working on
>>> integration with Active Directory. I'm unable to modify the schema to allow
>>> groupOfNames as a SUP of organizationalRole so I've implemented a
>>> workaround using openldap and several of its overlays backends to sit in
>>> front of AD. That all works just fine, however I really would like to be
>>> able to map AD groups to roles/tenants. I suspect I'll end up writing some
>>> code to do this-- shouldn't be too hard.
>>>
>>> Also on the subject of Active Directory, it's a show stopper for me to
>>> put un-encrypted AD credentials in environment variables to then pass to
>>> the various openstack CLI progs. My ideal workaround would be to use
>>> Kerberos authentication which I actually have working. I setup keystone to
>>> run under apache based on this documentation with some tweaks here and
>>> there:
>>>
>>> http://docs.openstack.org/developer/keystone/external-auth.html
>>>
>>> I created an openstack client auth plugin (based on the VOMS auth
>>> plugin) using requests_kerberos and this works well with the nova client,
>>> however none of the other client tools, including horizon, seem to support
>>> authentication plugins or the external authentication concept in general.
>>>
>>> So, here are my questions:
>>>
>>> - How have other folks handled integration of OpenStack with existing
>>> authN/authZ infrastructures? I'm particularly interested in the automatic
>>> mapping of existing LDAP groups to roles/tenants within openstack.
>>> - Are there plans to add support for the auth plugins to the *client
>>> modules and CLI tools going forward? I'd be interested in contributing this
>>> if it's on the roadmap and hasn't been done yet.
>>> - Are there plans to add support for auth plugins/external au th to
>>> Horizon? As above, I'm interested in implementing this if there's interest.
>>> - I see vague references in the documentation/*client code to using
>>> certificates for authentication (without the need for httpd external
>>> authentication) which would also eliminate the
>>> credentials-in-environment-variables issue. Is using PKI for authentication
>>> going to be supported? If so what's the status?
>>>
>>> Thanks in advance!
>>>
>>> -Aaron
>>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
>
References