[openstack-dev] Kerberization of Horizon (kerbhorizon?)
ayoung at redhat.com
Wed Jun 4 18:53:03 UTC 2014
OK, so I'm cranking on All of the Kerberso stuff: plus S4U2Proxy work
etc....except that I have never worked with DJango directly before. I
want to get a sanity check on my approach:
Instead of "authenticating" to Keystone, Horizon will use mod_auth_krb5
and REMOTE_USER to authenticate the user. Then, in order to get a
Keystone token, the code in
openstack_dashboard/api/keystone.py:keystoneclient needs to fetch a
token for the user.
This will be done using a Kerberized Keystone and S4U2Proxy setup. There
are alternatives using TGT delegation that I really want to have nothing
to do with.
The keystoneclient call currently does:
conn = api_version['client'].Client(token=user.token.id,
when I am done it would do:
from keystoneclient.contrib.auth.v3 import kerberos
||auth = kerberos.Kerberos(OS_AUTH_URL)||||
||auth = v3.auth.Token(token=user.token.id)
|||conn = client.Client(session=sess, region_name='RegionOne') |
(with the other parameters from the original call going into auth,
session. or client as appropriate)
Am I on track?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev