<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1419672257;
mso-list-template-ids:178714104;}
@list l1
{mso-list-id:1523938956;
mso-list-template-ids:1823101744;}
@list l1:level1
{mso-level-start-at:2;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2
{mso-list-id:1575124686;
mso-list-template-ids:65170766;}
@list l2:level1
{mso-level-start-at:3;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3
{mso-list-id:1661075580;
mso-list-template-ids:-1819403306;}
@list l3:level1
{mso-level-start-at:4;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level1 lfo3
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
@list l2:level1 lfo5
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
@list l3:level1 lfo7
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">You may also get some information from how we set up Kerberos at CERN at
<a href="http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html">
http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">From my understanding, the only connection is between Keystone and KDC. There is a standard Keystone token issues based off the Kerberos
ticket and the rest is the same as if a password had been supplied.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Sanket Lawangare [mailto:sanket.lawangare@gmail.com]
<br>
<b>Sent:</b> 24 February 2015 19:53<br>
<b>To:</b> openstack-dev@lists.openstack.org<br>
<b>Subject:</b> [openstack-dev] Kerberos in OpenStack<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Hello Everyone,</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
</div>
<div>
<p style="margin:0cm;margin-bottom:.0001pt;text-align:justify"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio.<b> For my Master’s
Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos.</b></span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure
explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). </span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">These are the Blogs -
</span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/" target="_blank">http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/</a></span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/" target="_blank">http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/</a></span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">I am trying to understand the working of Kerberos in OpenStack.
</span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Please click this link to view the figure:
</span><span style="font-size:9.5pt"><a href="https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing" target="_blank"><span style="font-size:11.5pt;font-family:"Arial",sans-serif">https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected]</span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Based on the figure i had couple of questions:</span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1;vertical-align:baseline">
<![if !supportLists]><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Is Nova or other services registered with the KDC?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;text-indent:-18.0pt;mso-list:l1 level1 lfo3;vertical-align:baseline">
<![if !supportLists]><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova,
Swift etc..<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;text-indent:-18.0pt;mso-list:l2 level1 lfo5;vertical-align:baseline">
<![if !supportLists]><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;text-indent:-18.0pt;mso-list:l3 level1 lfo7;vertical-align:baseline">
<![if !supportLists]><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time.</span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Regards,</span><span style="font-size:9.5pt"><o:p></o:p></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Sanket Lawangare</span><span style="font-size:9.5pt"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>