[openstack-dev] Keystone Apache2 Installation Question
Fox, Kevin M
kevin.fox at pnnl.gov
Mon Oct 14 21:31:42 UTC 2013
Hi Adam,
I was trying to get both kerberos negotiate and kerberos basic auth working. Negotiate does not seem to be supported by any of the clients so I think it will be a fair amount of work to get working.
/keystone/main/v2.0/tokens can't support having an apache auth module on it, it seems because it is overloaded to do too many things. After playing around with it, it looks like some services (like horizon) assume they can give it a token and get back a restricted token without doing basic auth/negotiate all the time. You can't put auth around it in apache and Require valid-user and still have it perform its other functions. the tokens endpoint needs to be able to be split out so that you can do something like /auth/<type>/tokens so you can put a different handler on each url and /tokens has all the rest of the functionality. I guess this will have to wait for Icehouse.
I also played around with basic auth as an alternative in the mean time to negotiate and ran into that same issue. It also requires changes to not just python-keystoneclient but a lot of the other python-*clients as well, and even then, horizon breaks as described above.
I found a work around for basic auth though that is working quite nicely. I'm trying to get the patch through our legal department, but they are tripping over the contributor agreement. :/
The trick is, if you are using basic auth, you only support a username/password anyway and havana keystone is plugable in its handling of username/passwords.
So, I'll just tell you the idea of the patch so you can work on reimplementing it if you'd like.
* I made a new file /usr/lib/python2.6/site-packages/keystone/identity/backends/basic_auth_sql.py
* I made a class Identity that inherits from the sql Identity class.
* I overrode the _check_password function.
* I took the username/password and base64 encoded it, then make a http request with it to whatever http basic auth service url you want to validate with. apache on localhost works great.
* Check the result for status 200. You can even fall back to the super class's _chck_password to support both basic auth and sql passwords if you'd like.
The interesting bit about this configuration is keystone does not need to be embedded in apache to support apache basic auth, while still providing you most of the flexability of apache basic auth plugins. The only thing that doesn't work is REMOTE_USER rewriting. Though you could probably add that feature in somehow using a http response header or something.
Thanks,
Kevin
________________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Monday, October 14, 2013 1:22 PM
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
On 10/09/2013 08:43 PM, Fox, Kevin M wrote:
> Thanks for the docs. It looks like I got through all of that already, its the authentication module part that is throwing me.
>
> I managed to manually get a token by putting mod_krb5 on <Location /keystone/main/v2.0/tokens> and using curl against it, giving curl a username/password.
> If I try and give that generated token back though its failing because krb5 wants a username and password.
THat is not right. krb5 should use Negotiate, not basic auth, and you
should not need UID/PW in order to get a token
>
> I guess I need one endpoint url to take in a kerb5 username/password and give me a token.
No, a krb service ticket, not password
> another url to validate tokens I guess. Maybe that's what the split between main and admin is for though?
Validation probably should not be done via Kerberos, unless you have a
way to automatically update the service tickets for Nova etc. There are
mechanisms for doing that in the latest version of the GSSAPI, but I
would not expect it to be in the current RHEL6 or the latest LTS of
Ubuntu yet. So the validate calls need to go to an URL not protected
via Kerberos.
>
> And none of the clients seem to pass a basic auth username/password, so I'd have to modify all of those too? I think its a middleware thing though, so I might be able to tweak them all at once?
Correct. I am working on a patch for Basic-Auth in Icehouse, but it
won't be in Havana.
>
> Thanks,
> Kevin
> ________________________________________
> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [mark.m.miller at hp.com]
> Sent: Wednesday, October 09, 2013 5:17 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>
> Hi Kevin,
>
> It has been awhile, but here are some notes I took.
>
> Regards,
>
> Mark Miller
>
> ---------------------------------
>
> Keystone Apache2 frontend Installation and Configuration
>
> Instructions below are based off of documentation/examples from URL https://keystone-voms.readthedocs.org/en/latest/requirements.html
> Install Apache2 WSGI with mod_ssl enabled. To do so, install the packages, and enable the relevant modules:
> sudo apt-get install apache2 libapache2-mod-wsgi
> sudo a2enmod ssl
> sudo ufw disable #Note: not sure if need to disable firewall
>
> Then configure your Apache server to use CA certificates. If you have some installed in the default location, enable the default-ssl site (a2ensite default-ssl) and modify its configuration file (normally in /etc/apache2/sites-enabled/default-ssl). If not, create configuration file "/etc/apache2/sites-enabled/keystone" for your keystone installation.
> Note: I created file "/etc/apache2/sites-enabled/keystone" shown below.
> Example:
> WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10
>
> Listen 5000
> <VirtualHost _default_:5000>
> LogLevel info
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
>
> SSLEngine on
> SSLCertificateFile /etc/ssl/certs/apache.cert
> SSLCertificateKeyFile /etc/ssl/private/apache.key
>
> SSLCACertificatePath /etc/ssl/certs
> SSLCARevocationPath /etc/ssl/certs
> SSLVerifyClient optional
> SSLVerifyDepth 10
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLOptions +StdEnvVars +ExportCertData
>
> WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main
> WSGIProcessGroup keystone
> </VirtualHost>
>
> Listen 35357
> <VirtualHost _default_:35357>
> LogLevel info
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
>
> SSLEngine on
> SSLCertificateFile /etc/ssl/certs/apache.cert
> SSLCertificateKeyFile /etc/ssl/private/apache.key
>
>
> SSLCACertificatePath /etc/ssl/certs
> SSLCARevocationPath /etc/ssl/certs
> SSLVerifyClient optional
> SSLVerifyDepth 10
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLOptions +StdEnvVars +ExportCertData
>
> WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin
> WSGIProcessGroup keystone
> </VirtualHost>
>
> Note1: By changing settings in this file you can turn on and off the Apache2-SSL frontend to Keystone (variable SSL_Engine).
> Note2: The "[ssl]" section of file "keystone.conf" needs to match this file in that if SSL is turned on in one of them, then it needs to be turned on in the other.
> To run keystone as a WSGI app, copy file "keystone.py" to the correct location and create links to it.
> sudo mkdir -p /usr/lib/cgi-bin/keystone
> sudo cp /<path>/keystone-2013.2.b2/httpd/keystone.py /usr/lib/cgi-bin/keystone/keystone.py
> sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/main
> sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/admin
>
> If the keystone service is running, shut it down. The Apache2 service will now start up as many instances of keystone as are specified on the first line of file "/etc/apache2/sites-enabled/keystone".
> sudo service keystone stop
>
> Adjust the "keystone.py" file to point to your keystone configuration file "if" it is not in the default location (i.e. "/etc/keystone/keystone.conf").
> Note: I did not make any changes to file keystone.py.
> Add variable OPENSSL_ALLOW_PROXY_CERTS to your Apache2 environment file "/etc/apache2/ envvars" so that X.509 proxy certificates are accepted by OpenSSL.
> export OPENSSL_ALLOW_PROXY_CERTS=1
>
> If you don't have server certificates for your Apache2 server, generate your own self-signed certificates following instructions from URL:
> https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04
> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache.key -out /etc/ssl/certs/apache.cert
> When prompted, use the name of your server for the common name.
> Country Name (2 letter code) [AU]:US
> State or Province Name (full name) [Some-State]:Oregon
> Locality Name (eg, city) []:Corvallis
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hewlett-Packard
> Organizational Unit Name (eg, section) []:CloudOS
> Common Name (e.g. server FQDN or YOUR name) []:havanatest
> Email Address []:mark.m.miller at hp.com
>
> Add the server name to your "/etc/hosts" file.
> 127.0.1.1 havanatest
>
> Add the full IP address and server name to your REST client computer's "/etc/hosts" file. The name in the REST client URL must match the name of the server/common-name found in the certificate.
> 15.253.57.66 havanatest
>
> I ran into a problem with the Apache2 server startup because it was not able to reliably determine my test server's fully qualified domain name. Following instructions from the following URL allowed me to bypass this issue by adding the server name to file "/etc/apache2/httpd.conf".
>
> http://aslamnajeebdeen.com/blog/how-to-fix-apache-could-not-reliably-determine-the-servers-fully-qualified-domain-name-using-127011-for-servername-error-on-ubuntu
>
> Example:
> servername havanatest
>
> Finally, restart the Apache2 service and check to see that apache2 and keystone are running.
>
> sudo service apache2 restart
>
> ps -ef | grep apache2
> root 4463 1 1 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 4464 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4468 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4469 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4470 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 4471 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 4472 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> root 4564 2483 0 10:41 pts/2 00:00:00 grep --color=auto apache2
>
> ps -ef | grep keystone
> keystone 4468 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4469 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4470 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> root 4566 2483 0 10:42 pts/2 00:00:00 grep --color=auto keystone
>
> With the above configuration and assuming that the Keystone host is "havanatest", the Keystone endpoint URLs will be as follow:
> * https:// havanatest:5000/v3
> * https:// havanatest:35357/v3
>
>
>
>
>> -----Original Message-----
>> From: Fox, Kevin M [mailto:kevin.fox at pnnl.gov]
>> Sent: Wednesday, October 09, 2013 4:59 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> I've just started playing around with Keystone under Apache. I have
>> managed to get it embedded now and all services talking to it.
>>
>> Now, I'm trying to get it to do apache authentication. The documentation
>> states that it should honor REMOTE_USER if its present.
>>
>> The default wsgi-keystone.conf has this in it:
>> <Location "/keystone">
>> NSSRequireSSL
>> Authtype none
>> </Location>
>>
>> Which Locations do you put Apache auth plugins on? Putting it on all of
>> /keystone seems wrong. I tried putting it only on <Location
>> "/keystone/main/v2.0/tokens"> and that didn't work either...
>>
>> Looking at the token api, it doesn't look like it does basic auth at all, expecting
>> the username/password to be passed through a json document? So perhaps
>> what I am trying to do will never work? Do I have to set some flag to get
>> python-keystoneclient/Dashboard to pass the username/password as
>> basicauth instead of in a json form?
>>
>> Thanks,
>> Kevin
>>
>>
>>
>> ________________________________________
>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> [mark.m.miller at hp.com]
>> Sent: Monday, August 12, 2013 4:17 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> Progress: Got Keystone working under Apache2 with HTTP based on the
>> following 2 URLs . HTTPS is the next.
>>
>> https://keystone-voms.readthedocs.org/en/latest/requirements.html
>> https://www.digitalocean.com/community/articles/how-to-create-a-ssl-
>> certificate-on-apache-for-ubuntu-12-04
>>
>> Mark
>>
>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> Sent: Monday, August 12, 2013 3:10 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> Looks like I may be ahead of the game. It doesn't look like this blueprint has
>> been started yet. Am I correct?
>>
>> https://blueprints.launchpad.net/devstack/+spec/devstack-setup-apache-
>> keystone
>>
>> A very valuable feature of Keystone is to configure it to leverage apache as
>> its front end. As a means of demonstrating how this works, and to facilitate
>> automated testing of this configuration in the future, support to devstack will
>> be added to enable it to optionally install and configure keystone using
>> apache as it front end. The design approach used will be that described in the
>> keystone docs:
>> https://github.com/openstack/keystone/blob/master/doc/source/apache-
>> httpd.rst
>> Thanks,
>>
>> Mark
>>
>>
>>
>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> Sent: Monday, August 12, 2013 1:45 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> The commands/libraries do not exist for Ubuntu, Keystone no longer starts
>> up, directories between the sets of documents do not match, ...
>>
>> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
>> Sent: Monday, August 12, 2013 1:41 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> What problem(s) are you running into when following the above
>> documentation / examples?
>>
>> On Mon, Aug 12, 2013 at 3:32 PM, Miller, Mark M (EB SW Cloud - R&D -
>> Corvallis) <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
>> Hello,
>>
>> I am looking for documentation on how to install/configure Apache2 as the
>> Keystone front end for "Ubuntu 12.04". I have found various documentation
>> snippets for a variety of applications and operating systems, but nothing for
>> Ubuntu. Any pointers would greatly be appreciated. I have been trying to
>> piece the installation/configuration from the following URLs but have yet to
>> be successful.
>>
>> http://docs.openstack.org/developer/keystone/apache-
>> httpd.html#keystone-configuration
>> https://keystone-voms.readthedocs.org/en/latest/requirements.html
>> https://github.com/enovance/keystone-wsgi-
>> apache/blob/master/provision.sh
>> http://adam.younglogic.com/2012/04/keystone-httpd/
>>
>> Regards,
>>
>> Mark
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org<mailto:OpenStack-
>> dev at lists.openstack.org>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> --
>>
>> -Dolph
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list