<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.kn
{mso-style-name:kn;}
span.nn
{mso-style-name:nn;}
span.n
{mso-style-name:n;}
span.line
{mso-style-name:line;}
span.o
{mso-style-name:o;}
span.p
{mso-style-name:p;}
span.s
{mso-style-name:s;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:319117928;
mso-list-type:hybrid;
mso-list-template-ids:1727422212 -460324350 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:27.0pt;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:63.0pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:99.0pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:135.0pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:171.0pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:207.0pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:243.0pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:279.0pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:315.0pt;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’ve implemented Kerberos (via Apache) + Django once before, and yes, taking this as pseudo-code you’re on the right track. Obviously the devil is in the details
and you’ll work out the particulars as you go.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The most important bit (obviously) is just making absolutely sure your REMOTE_USER header/environment variable is trusted, but that’s outside the Django layer.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Assuming that you can work out “with the other parameters from the original call going into auth, session, or client as appropriate” as you said then you should
be fine.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">All the best,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="margin-left:27.0pt;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Gabriel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"> Adam Young [mailto:ayoung@redhat.com]
<br>
<b>Sent:</b> Wednesday, June 04, 2014 11:53 AM<br>
<b>To:</b> OpenStack Development Mailing List<br>
<b>Subject:</b> [openstack-dev] Kerberization of Horizon (kerbhorizon?)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OK, so I'm cranking on All of the Kerberso stuff: plus S4U2Proxy work etc....except that I have never worked with DJango directly before. I want to get a sanity check on my approach:<br>
<br>
Instead of "authenticating" to Keystone, Horizon will use mod_auth_krb5 and REMOTE_USER to authenticate the user. Then, in order to get a Keystone token, the code in openstack_dashboard/api/keystone.py:keystoneclient needs to fetch a token for the user.
<br>
<br>
This will be done using a Kerberized Keystone and S4U2Proxy setup. There are alternatives using TGT delegation that I really want to have nothing to do with.<br>
<br>
The keystoneclient call currently does:<br>
<br>
<br>
conn = api_version['client'].Client(token=user.token.id,<br>
endpoint=endpoint,<br>
original_ip=remote_addr,<br>
insecure=insecure,<br>
cacert=cacert,<br>
auth_url=endpoint,<br>
debug=settings.DEBUG)<br>
<br>
when I am done it would do:<o:p></o:p></p>
<div id="LC16">
<p class="MsoNormal"><span class="kn">from</span> <span class="nn">keystoneclient.contrib.auth.v3</span>
<span class="kn">import</span> <span class="n">kerberos</span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">...<br>
<br>
if REMOTE_USER:<span class="n"><span style="font-size:10.0pt;font-family:"Courier New"">
</span></span><br>
<span class="n"><span style="font-size:10.0pt;font-family:"Courier New""> </span>
</span><span class="n">auth</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">Kerberos</span><span class="p">(</span><span class="n">OS_AUTH_URL</span><span class="p">)</span><br>
<span class="line"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">else:</span></span><br>
<span class="n"> auth</span> <span class="o">=</span> v3.auth.Token<span class="p">(</span>token=user.token.id<span class="p">)</span><br>
<br>
<span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">sess</span></span><span class="o"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">=</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">session</span></span><span class="o"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">.</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Session</span></span><span class="p"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">(</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">kerb_auth</span></span><span class="p"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">,</span></span><span class="line"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">verify</span></span><span class="o"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">=</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">OS_CACERT</span></span><span class="line"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">)</span></span><br>
<span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">conn</span></span><span class="line"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
</span></span><span class="o"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">=</span></span><span class="line"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">client</span></span><span class="o"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">.</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Client</span></span><span class="p"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">(</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">session</span></span><span class="o"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">=</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">sess</span></span><span class="p"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">,</span></span><span class="line"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
</span></span><span class="n"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">region_name</span></span><span class="o"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">=</span></span><span class="s"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">'RegionOne'</span></span><span class="p"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">)</span></span><span class="line"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
</span></span><br>
<br>
<br>
<br>
(with the other parameters from the original call going into auth, session. or client as appropriate)<br>
<br>
<br>
Am I on track?<br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
</body>
</html>