[openstack-dev] Kerberization (and PKI-rization) of Horizon
ayoung at redhat.com
Mon Apr 20 14:20:52 UTC 2015
On 04/19/2015 06:05 PM, Diogenes S. Jesus wrote:
> Hi man.
> I've seen your thread
> on OpenStack mailing list regarding using Kerberos on Horizon.
> I've been pulling my hair around this topic, however I'm trying to
> authenticate using X.509.
> I've googled around and found only topics related to keystone external
> auth - but that doesn't really solve the problem, because horizon is
> the one handling the request.
> If you've reached good level on this topic or can point out to some
> third-party solution I would be glad.
Thanks for asking this. It is a question that has come up a few times,
and should be addressed.
I think the right approach is to use Federation, in the same way that I
The short of it is that you would use the Mapped plugin for the 'X509'
protocol instead of Kerberos (maybe `clientcert` is a better name?) and
Have a section in your httpd section for Keystone that has (among other
|||<location ~ ||"x509"| |>|
You would then provide values in the mapping that use the SSL Variables,
such as SSL_CLIENT_S_DN instead of REMOTE_USER
For the user database, we have support coming in Kilo for mapping to an
existing user, so you should be able to work with some version of the
LDAP backend for that, but I would suggest you look at the SSSD approach
for LDAP integration instead, as it will be usable both for Keystone and
for the VMs running managed by Nova (both Undercloud AND cloud
I haven't prototyped Client Cert authentication yet, unfortunately. I
would love to know if it does work, and would be willing to help work
through the gotcha's.
> Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev