[openstack-dev] [TripleO] FreeIPA integration

Adam Young ayoung at redhat.com
Wed Apr 6 21:04:05 UTC 2016

On 04/06/2016 10:44 AM, Dan Prince wrote:
> On Tue, 2016-04-05 at 19:19 -0600, Rich Megginson wrote:
>> On 04/05/2016 07:06 PM, Dan Prince wrote:
>>> On Sat, 2016-04-02 at 17:28 -0400, Adam Young wrote:
>>>> I finally have enough understanding of what is going on with
>>>> Tripleo
>>>> to
>>>> reasonably discuss how to implement solutions for some of the
>>>> main
>>>> security needs of a deployment.
>>>> FreeIPA is an identity management solution that can provide
>>>> support
>>>> for:
>>>> 1. TLS on all network communications:
>>>>       A. HTTPS for web services
>>>>       B. TLS for the message bus
>>>>       C. TLS for communication with the Database.
>>>> 2. Identity for all Actors in the system:
>>>>      A.  API services
>>>>      B.  Message producers and consumers
>>>>      C.  Database consumers
>>>>      D.  Keystone service users
>>>> 3. Secure  DNS DNSSEC
>>>> 4. Federation Support
>>>> 5. SSH Access control to Hosts for both undercloud and overcloud
>>>> 6. SUDO management
>>>> 7. Single Sign On for Applications running in the overcloud.
>>>> The main pieces of FreeIPA are
>>>> 1. LDAP (the 389 Directory Server)
>>>> 2. Kerberos
>>>> 3. DNS (BIND)
>>>> 4. Certificate Authority (CA) server (Dogtag)
>>>> 5. WebUI/Web Service Management Interface (HTTPD)
>>>> Of these, the CA is the most critical.  Without a centralized CA,
>>>> we
>>>> have no reasonable way to do certificate management.
>>> Would using Barbican to provide an API to manage the certificates
>>> make
>>> more sense for our deployment tooling? This could be useful for
>>> both
>>> undercloud and overcloud cases.
>>> As for the rest of this, how invasive is the implementation of
>>> FreeIPA.? Is this something that we can layer on top of an existing
>>> deployment such that users wishing to use FreeIPA can opt-in.
>>>> Now, I know a lot of people have an allergic reaction to some,
>>>> maybe
>>>> all, of these technologies. They should not be required to be
>>>> running
>>>> in
>>>> a development or testbed setup.  But we need to make it possible
>>>> to
>>>> secure an end deployment, and FreeIPA was designed explicitly for
>>>> these
>>>> kinds of distributed applications.  Here is what I would like to
>>>> implement.
>>>> Assuming that the Undercloud is installed on a physical machine,
>>>> we
>>>> want
>>>> to treat the FreeIPA server as a managed service of the
>>>> undercloud
>>>> that
>>>> is then consumed by the rest of the overcloud. Right now, there
>>>> are
>>>> conflicts for some ports (8080 used by both swift and Dogtag)
>>>> that
>>>> prevent a drop-in run of the server on the undercloud
>>>> controller.  Even
>>>> if we could deconflict, there is a possible battle between
>>>> Keystone
>>>> and
>>>> the FreeIPA server on the undercloud.  So, while I would like to
>>>> see
>>>> the
>>>> ability to run the FreeIPA server on the Undercloud machine
>>>> eventuall, I
>>>> think a more realistic deployment is to build a separate virtual
>>>> machine, parallel to the overcloud controller, and install
>>>> FreeIPA
>>>> there. I've been able to modify Tripleo Quickstart to provision
>>>> this
>>>> VM.
>>>> I was also able to run FreeIPA in a container on the undercloud
>>>> machine,
>>>> but this is, I think, not how we want to migrate to a container
>>>> based
>>>> strategy. It should be more deliberate.
>>>> While the ideal setup would be to install the IPA layer first,
>>>> and
>>>> create service users in there, this produces a different install
>>>> path
>>>> between with-FreeIPA and without-FreeIPA. Thus, I suspect the
>>>> right
>>>> approach is to run the overcloud deploy, then "harden" the
>>>> deployment
>>>> with the FreeIPA steps.
>>>> The IdM team did just this last summer in preparing for the Tokyo
>>>> summit, using Ansible and Packstack.  The Rippowam project
>>>> https://github.com/admiyo/rippowam was able to fully lock down a
>>>> Packstack based install.  I'd like to reuse as much of Rippowam
>>>> as
>>>> possible, but called from Heat Templates as part of an overcloud
>>>> deploy.  I do not really want to re implement Rippowam in Puppet.
>>> As we are using Puppet for our configuration I think this is
>>> currently
>>> a requirement. There are many good puppet examples out there of
>>> various
>>> servers and a quick google search showed some IPA modules are
>>> available
>>> as well.
>>> I think most TripleO users are quite happy in using puppet modules
>>> for
>>> configuration in that the puppet openstack modules are quite mature
>>> and
>>> well tested. Making a one-off exception for FreeIPA at this point
>>> doesn't make sense to me.
>> What about calling an ansible playbook from a puppet module?
> Given our current toolset in TripleO having the ability to manage all
> service configurations with a common language overrides any short cuts
> that calling Ansible from Puppet would give you I think.
> The best plan I think for IPA integration into the Over and underclouds
> would be a puppet-freeipa module.
Puppet is fine. I have some feedback from the IPA side that the 
https://github.com/purpleidea/puppet-ipa/  works ok.  Work on it seems 
to have tapered off last June, but we could revive.

>>>> So, big question: is Heat->ansible (instead of Puppet) for an
>>>> overcloud
>>>> deployment an acceptable path?  We are talking Ansible 1.0
>>>> Playbooks,
>>>> which should be relatively straightforward ports to 2.0 when the
>>>> time
>>>> comes.
>>>> Thus, the sequence would be:
>>>> 1. Run existing overcloud deploy steps.
>>>> 2. Install IPA server on the allocated VM
>>>> 3. Register the compute nodes and the controller as IPA clients
>>>> 4. Convert service users over to LDAP backed services, complete
>>>> with
>>>> necessary kerberos steps to do password-less authentication.
>>>> 5. Register all web services with IPA and allocate X509
>>>> certificates
>>>> for
>>>> HTTPS.
>>>> 6. Set up Host based access control (HBAC) rules for SSH access
>>>> to
>>>> overcloud machines.
>>>> When we did the Rippowam demo, we used the Proton driver and
>>>> Kerberos
>>>> for securing the message broker.  Since Rabbit seems to be the
>>>> tool
>>>> of
>>>> choice,  we would use X509 authentication and TLS for
>>>> encryption.  ACLs,
>>>> for now, would stay in the flat file format.  In the future, we
>>>> might
>>>> chose to use the LDAP backed ACLs for Rabbit, as they seem far
>>>> more
>>>> flexible.  Rabbit does not currently support Kerberos for either
>>>> authentication or encryption, but we can engage the upstream team
>>>> to
>>>> implement it if desired in the future, or we can shift to a
>>>> Proton
>>>> based
>>>> deployment if Kerberos is essential for a deployment.
>>>> There are a couple ongoing efforts that will tie in with this:
>>>> 1. Designate should be able to use the DNS from FreeIPA.  That
>>>> was
>>>> the
>>>> original implementation.
>>>> 2.  Juan Antonio Osorio  has been working on TLS everywhere.  The
>>>> issue
>>>> thus far has been Certificate management.  This provides a Dogtag
>>>> server
>>>> for Certs.
>>>> 3. Rob Crittenden has been working on auto-registration of
>>>> virtual
>>>> machines with an Identity Provider upon launch.  This gives that
>>>> efforts
>>>> an IdM to use.
>>>> 4. Keystone can make use of the Identity store for administrative
>>>> users
>>>> in their own domain.
>>>> 5. Many of the compliance audits have complained about cleartext
>>>> passwords in config files. This removes most of them.  MySQL
>>>> supports
>>>> X509 based authentication today, and there is Kerberos support in
>>>> the
>>>> works, which should remove the last remaining cleartext
>>>> Passwords.
>>>> I mentioned Centralized SUDO and HBAC.  These are both tools that
>>>> may
>>>> be
>>>> used by administrators if so desired on the install. I would
>>>> recommend
>>>> that they be used, but there is no requirement to do so.
>>>> _________________________________________________________________
>>>> ____
>>>> _____
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:un
>>>> subs
>>>> cribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> ___________________________________________________________________
>>> _______
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsu
>>> bscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> _____________________________________________________________________
>> _____
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubs
>> cribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list