← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1947870] [NEW] Keystone Kerberos auth broken when delegate to HTTP

 

Public bug reported:

Keystone Kerberos works well when you openstack client
can dialog with yours KDC.
    
However when KDC is hidden, it's not accessible by our
users directly so we need to delegate the auth Kerberos
to HTTP to get Keystone token, that's why we use curl command.
    
>From the Openstack client cli we get "Negotiate"
as auth_type -> it's works. Nonetheless with curl we get "Basic"
as auth_type -> raised error.
    
That's why we proposed to add "Basic" as authorized method for Kerberos.


https://review.opendev.org/c/openstack/keystone/+/814770

Patchset: 1efc0c5c6730c9066f47edf953bf805aec0fd3c0

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: http kerberos keystone negotiate train

** Tags added: kerberos keystone train

** Tags added: http negotiate

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1947870

Title:
  Keystone Kerberos auth broken when delegate to HTTP

Status in OpenStack Identity (keystone):
  New

Bug description:
  Keystone Kerberos works well when you openstack client
  can dialog with yours KDC.
      
  However when KDC is hidden, it's not accessible by our
  users directly so we need to delegate the auth Kerberos
  to HTTP to get Keystone token, that's why we use curl command.
      
  From the Openstack client cli we get "Negotiate"
  as auth_type -> it's works. Nonetheless with curl we get "Basic"
  as auth_type -> raised error.
      
  That's why we proposed to add "Basic" as authorized method for Kerberos.

  
  https://review.opendev.org/c/openstack/keystone/+/814770

  Patchset: 1efc0c5c6730c9066f47edf953bf805aec0fd3c0

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1947870/+subscriptions