[openstack-dev] Kerberization of Horizon (kerbhorizon?)

Adam Young ayoung at redhat.com
Wed Jun 4 18:53:03 UTC 2014


OK,  so I'm cranking on All of the Kerberso stuff: plus S4U2Proxy work 
etc....except that I have never worked with DJango directly before.  I 
want to get a sanity check on my approach:

Instead of "authenticating" to Keystone, Horizon will use mod_auth_krb5 
and REMOTE_USER to authenticate the user.  Then, in order to get a 
Keystone token, the code in 
openstack_dashboard/api/keystone.py:keystoneclient   needs to fetch a 
token for the user.

This will be done using a Kerberized Keystone and S4U2Proxy setup. There 
are alternatives using TGT delegation that I really want to have nothing 
to do with.

The keystoneclient call currently does:


         conn = api_version['client'].Client(token=user.token.id,
                                             endpoint=endpoint,
                                             original_ip=remote_addr,
                                             insecure=insecure,
                                             cacert=cacert,
                                             auth_url=endpoint,
                                             debug=settings.DEBUG)

when I am done it would do:
from keystoneclient.contrib.auth.v3 import kerberos
...

if  REMOTE_USER:||
||auth = kerberos.Kerberos(OS_AUTH_URL)||||
|else:|
||auth = v3.auth.Token(token=user.token.id)

|sess=session.Session(kerb_auth, verify=OS_CACERT)|||
|||conn = client.Client(session=sess, region_name='RegionOne') |



(with the other parameters from the original call going into auth, 
session. or client as appropriate)


Am I on track?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140604/f8ed5a7e/attachment.html>


More information about the OpenStack-dev mailing list