Open Stack

On 02/24/2015 01:53 PM, Sanket Lawangare wrote:
> Hello  Everyone,
>
> My name is Sanket Lawangare. I am a graduate Student studying at The 
> University of Texas, at San Antonio.For my Master’s Thesis I am 
> working on the Identity component of OpenStack. My research is to 
> investigate external authentication with Identity(keystone) using 
> Kerberos.
>
>
> Based on reading Jammie lennox's Blogs on Kerberos implementation in 
> OpenStack and my understanding of Kerberos I have come up with a 
> figure explaining possible interaction of KDC with the OpenStack 
> client, keystone and the OpenStack services(Nova, Cinder, Swift...).
>
> These are the Blogs -
>
> http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
>
> http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/
>
> I am trying to understand the working of Kerberos in OpenStack.
>
>
> Please click this link to view the figure: 
> https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing
>
>
> P.S. - [The steps in this figure are self explanatory the basic 
> understanding of Kerberos is expected]
>
>
> Based on the figure i had couple of questions:
>
>
> 1.
>
>     Is Nova or other services registered with the KDC?
>
Not yet.  Kerberos is only used for Keystone at the moment, with work 
underway to make Horizon work with Keystone.  Since many of the services 
only run in Eventlet, not in HTTPD, Kerberos support is hard to 
support.  Ideally, yes, we would do Kerberos direct to Nova, and weither 
use the token binding mechanism, or better yet, not even provide a 
token...but that is more work.



>
> 2.
>
>     What does keystone do with Kerberos ticket/credentials? Does
>     Keystone authenticates the users and gives them direct access to
>     other services such as Nova, Swift etc..
>
>
THey are used for authentication, and then the Keystone server uses the 
principal to resolve the username and user id.  The rest of the data 
comes out of LDAP.


> 3.
>
>     After receiving the Ticket from the KDC does keystone embed some
>     kerberos credential information in the token?
>
No, it is mapped to the Openstack userid and username

>
> 4.
>
>     What information does the service (e.g.Nova) see in the Ticket and
>     the token (Does the token have some kerberos info or some
>     customized info inside it?).
>

No kerberos ticket goes to Nova.

>
> If you could share your insights and guide me on this. I would be 
> really appreciate it. Thank you all for your time.
>
>

Let me know if you have more questions.  Really let me know if you want 
to help coding.


> Regards,
>
> Sanket Lawangare
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150224/e5f3587e/attachment.html>