<div dir="ltr">Thanks a lot for taking out time and replying back Tim. Will let you know if i have any further questions.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 24, 2015 at 1:22 PM, Tim Bell <span dir="ltr"><<a href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-GB" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">You may also get some information from how we set up Kerberos at CERN at
<a href="http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html" target="_blank">
http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">From my understanding, the only connection is between Keystone and KDC. There is a standard Keystone token issues based off the Kerberos
ticket and the rest is the same as if a password had been supplied.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Tim<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Sanket Lawangare [mailto:<a href="mailto:sanket.lawangare@gmail.com" target="_blank">sanket.lawangare@gmail.com</a>]
<br>
<b>Sent:</b> 24 February 2015 19:53<br>
<b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a><br>
<b>Subject:</b> [openstack-dev] Kerberos in OpenStack<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Hello Everyone,</span><u></u><u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
</div>
<div><span class="">
<p style="margin:0cm;margin-bottom:.0001pt;text-align:justify"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio.<b> For my Master’s
Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos.</b></span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure
explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). </span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">These are the Blogs -
</span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/" target="_blank">http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/</a></span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/" target="_blank">http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/</a></span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">I am trying to understand the working of Kerberos in OpenStack.
</span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Please click this link to view the figure:
</span><span style="font-size:9.5pt"><a href="https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing" target="_blank"><span style="font-size:11.5pt;font-family:"Arial",sans-serif">https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing</span></a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected]</span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Based on the figure i had couple of questions:</span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
</span><p style="margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;vertical-align:baseline">
<u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span>1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Is Nova or other services registered with the KDC?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;vertical-align:baseline">
<u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span>2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova,
Swift etc..<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;vertical-align:baseline">
<u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span>3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;vertical-align:baseline">
<u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span>4.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?).<u></u><u></u></span></p><span class="">
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time.</span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Regards,</span><span style="font-size:9.5pt"><u></u><u></u></span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Sanket Lawangare</span><span style="font-size:9.5pt"><u></u><u></u></span></p>
</span></div>
</div>
</div>
</div>
</div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>