Open Stack

On 08/11/2015 06:21 AM, Jesse Pretorius wrote:
> Hi everyone,
>
> Yesterday we released implementing Keystone as a Federated Service 
> Provider as part of the openstack-ansible deployment tooling [1].
>
> This is a starting implementation which was purposefully scoped to 
> only use Shibboleth and only support SAML2. The scope was limited due 
> to the complexity of getting it working in the first place, but also 
> as this was seen to be the use-case which would give the most value.
>
> The implementation, however, was done in a manner which we believe is 
> reasonably extendable to accommodate other protocols including OpenID, 
> Kerberos, etc. It should also be reasonably easy to develop the Mellon 
> SAML implementation instead of the Shibboleth module, although I that 
> would probably be slightly more complex. Our spec [2] has already 
> covered these extensions, so all we'd need to do is define blueprints 
> to cover them and target them at specific milestones.
>
> We'd like to ask whether others would be interested in diving in to 
> implement the additional protocols, to implement the alternative 
> mod_auth_mellon and also to apply other improvements as we roll on 
> towards the target of releasing liberty.
The simplest one is Kerberos + SSSD;

Kerberos provides Authentication.
mod_lookup_identity uses SSSD to get Groups.  It turns LDAP into 
another  Federated identity, much simpler than the LDAP code in Keystone 
(I am responsible for that mess).

We are working on automating this via Ansible on top of a RHEL/Centos 7 
install to demo in Tokyo.

I am not certain if all the pieces are in place yet for Debian based 
install.  Specifically, it needs an updated sssd-dbus package.

We also have mod_mellon and Ipsilon working, as Jamie demo'ed at Pycon AU.
>
> We're happy to work along side anyone who's not familiar with 
> openstack-ansible, or even ansible, to setup a test environment (this 
> can be done in about an hour) and to prepare a patch for review.
>
> If you have any questions or comments, please feel free to contact me 
> via email or on IRC.
>
> Best regards,
>
> Jesse
> IRC: odyssey4me
>
> [1] 
> http://lists.openstack.org/pipermail/openstack-dev/2015-August/071748.html
> [2] 
> https://github.com/stackforge/os-ansible-deployment-specs/blob/master/specs/kilo/keystone-federation.rst
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150812/3b0d71ca/attachment.html>