<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
OK, so I'm cranking on All of the Kerberso stuff: plus S4U2Proxy
work etc....except that I have never worked with DJango directly
before. I want to get a sanity check on my approach:<br>
<br>
Instead of "authenticating" to Keystone, Horizon will use
mod_auth_krb5 and REMOTE_USER to authenticate the user. Then, in
order to get a Keystone token, the code in
openstack_dashboard/api/keystone.py:keystoneclient needs to fetch
a token for the user. <br>
<br>
This will be done using a Kerberized Keystone and S4U2Proxy setup.
There are alternatives using TGT delegation that I really want to
have nothing to do with.<br>
<br>
The keystoneclient call currently does:<br>
<br>
<br>
conn = api_version['client'].Client(token=user.token.id,<br>
endpoint=endpoint,<br>
original_ip=remote_addr,<br>
insecure=insecure,<br>
cacert=cacert,<br>
auth_url=endpoint,<br>
debug=settings.DEBUG)<br>
<br>
when I am done it would do:<br>
<div class="line" id="LC16"><span class="kn">from</span> <span
class="nn">keystoneclient.contrib.auth.v3</span> <span
class="kn">import</span> <span class="n">kerberos</span></div>
...<br>
<br>
if REMOTE_USER:<code class="python"><span class="line"><span
class="n"> </span></span></code><br>
<code class="python"><span class="line"><span class="n"> </span></span></code><span
class="n">auth</span> <span class="o">=</span> <span class="n">kerberos</span><span
class="o">.</span><span class="n">Kerberos</span><span class="p">(</span><span
class="n">OS_AUTH_URL</span><span class="p">)</span><code
class="python"><span class="line"><span class="n"></span></span></code><font
face="sans-serif"><code class="python"><font face="sans-serif"><span
class="line"></span></font></code></font><br>
<font face="sans-serif"><code class="python"><font face="sans-serif"><span
class="line">else:</span></font></code></font><br>
<font face="sans-serif"><code class="python"><font face="sans-serif"><span
class="line"></span></font></code></font><span class="n">
auth</span> <span class="o">=</span> v3.auth.Token<span class="n"></span><span
class="p">(</span>token=user.token.id<span class="p">)</span><br>
<span class="p"></span><br>
<span class="p"></span><font face="sans-serif"><code class="python"><font
face="sans-serif"><span class="line"><span class="n">sess</span><span
class="o">=</span><span class="n">session</span><span
class="o">.</span><span class="n">Session</span><span
class="p">(</span><span class="n">kerb_auth</span><span
class="p">,</span> <span class="n">verify</span><span
class="o">=</span><span class="n">OS_CACERT</span>)<font
face="sans-serif"><code class="python"><span class="line"><span
class="n"></span></span></code></font></span></font></code></font><br>
<font face="sans-serif"><code class="python"><font face="sans-serif"><span
class="line"><font face="sans-serif"><code class="python"><span
class="line"><span class="n"></span></span></code></font></span><span
class="line"></span><span class="line"><span class="n">conn</span>
<span class="o">=</span> <span class="n">client</span><span
class="o">.</span><span class="n">Client</span><span
class="p">(</span><span class="n">session</span><span
class="o">=</span><span class="n">sess</span><span
class="p">,</span>
</span><span class="line"> <span class="n">region_name</span><span
class="o">=</span><span class="s">'RegionOne'</span><span
class="p">)</span>
</span></font></code></font><br>
<br>
<br>
<br>
(with the other parameters from the original call going into auth,
session. or client as appropriate)<br>
<br>
<br>
Am I on track?<br>
<br>
<br>
<br>
</body>
</html>