<div dir="ltr">Thanks a lot for taking out time and replying back Tim. Will let you know if i have any further questions.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 24, 2015 at 1:22 PM, Tim Bell <span dir="ltr"><<a href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-GB" link="blue" vlink="purple">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">You may also get some information from how we set up Kerberos at CERN at

<a href="http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html" target="_blank">

http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">From my understanding, the only connection is between Keystone and KDC. There is a standard Keystone token issues based off the Kerberos

 ticket and the rest is the same as if a password had been supplied.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Tim<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">

<div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">

<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Sanket Lawangare [mailto:<a href="mailto:sanket.lawangare@gmail.com" target="_blank">sanket.lawangare@gmail.com</a>]

<br>

<b>Sent:</b> 24 February 2015 19:53<br>

<b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a><br>

<b>Subject:</b> [openstack-dev] Kerberos in OpenStack<u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal"><span style="font-size:9.5pt">Hello  Everyone,</span><u></u><u></u></p>

<div>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

</div>

<div><span class="">

<p style="margin:0cm;margin-bottom:.0001pt;text-align:justify"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio.<b> For my Master’s

 Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos.</b></span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure

 explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). </span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">These are the Blogs -

</span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/" target="_blank">http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/</a></span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/" target="_blank">http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/</a></span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">I am trying to understand the working of Kerberos in OpenStack.

</span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Please click this link to view the figure:

</span><span style="font-size:9.5pt"><a href="https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing" target="_blank"><span style="font-size:11.5pt;font-family:"Arial",sans-serif">https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing</span></a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected]</span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Based on the figure i had couple of questions:</span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

</span><p style="margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;vertical-align:baseline">

<u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span>1.<span style="font:7.0pt "Times New Roman"">    

</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Is Nova or other services registered with the KDC?<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;vertical-align:baseline">

<u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span>2.<span style="font:7.0pt "Times New Roman"">    

</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova,

 Swift etc..<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;vertical-align:baseline">

<u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span>3.<span style="font:7.0pt "Times New Roman"">    

</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token?<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin-right:0cm;margin-bottom:0cm;margin-left:47.25pt;margin-bottom:.0001pt;vertical-align:baseline">

<u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"><span>4.<span style="font:7.0pt "Times New Roman"">    

</span></span></span><u></u><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?).<u></u><u></u></span></p><span class="">

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time.</span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Regards,</span><span style="font-size:9.5pt"><u></u><u></u></span></p>

<p style="margin:0cm;margin-bottom:.0001pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black">Sanket Lawangare</span><span style="font-size:9.5pt"><u></u><u></u></span></p>

</span></div>

</div>

</div>

</div>

</div>

<br>__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br></blockquote></div><br></div>