<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/24/2015 01:53 PM, Sanket
Lawangare wrote:<br>
</div>
<blockquote
cite="mid:CAPyv74By+i9KtA0miX1qjTKGBf6sjL5nxkF8SFtKhK0wRNZuxw@mail.gmail.com"
type="cite">
<div dir="ltr"><span style="font-size:12.8000001907349px">Hello
Everyone,</span>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">My
name is Sanket Lawangare. I am a graduate Student studying
at The University of Texas, at San Antonio.</span><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">
For my Master’s Thesis I am working on the Identity
component of OpenStack. My research is to investigate
external authentication with Identity(keystone) using
Kerberos.</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Based
on reading Jammie lennox's Blogs on Kerberos
implementation in OpenStack and my understanding of
Kerberos I have come up with a figure explaining possible
interaction of KDC with the OpenStack client, keystone and
the OpenStack services(Nova, Cinder, Swift...). </span></p>
<p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">These
are the Blogs - </span></p>
<p style="margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;background-color:transparent"><font
color="#000000" face="Arial"><span
style="font-size:15px;line-height:20.7000007629395px;white-space:pre-wrap"><a
moz-do-not-send="true"
href="http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/"
target="_blank">http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/</a></span></font></span></p>
<p style="margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;background-color:transparent"><font
color="#000000" face="Arial"><a moz-do-not-send="true"
href="http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/"
target="_blank">http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/</a><br>
</font></span></p>
<p style="margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-family:Arial;font-size:15px;white-space:pre-wrap;line-height:1.38;background-color:transparent">I
am trying to understand the working of Kerberos in
OpenStack. </span><br>
</p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Please
click this link to view the figure: </span><a
moz-do-not-send="true"
href="https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing"
target="_blank" style="text-decoration:none"><span
style="font-size:15px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing</span></a></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">P.S.
- [The steps in this figure are self explanatory the basic
understanding of Kerberos is expected]</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Based
on the figure i had couple of questions:</span></p>
<br>
<ol style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr"
style="margin-left:15px;list-style-type:decimal;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Is
Nova or other services registered with the KDC?</span></p>
</li>
</ol>
</div>
</div>
</blockquote>
Not yet. Kerberos is only used for Keystone at the moment, with
work underway to make Horizon work with Keystone. Since many of the
services only run in Eventlet, not in HTTPD, Kerberos support is
hard to support. Ideally, yes, we would do Kerberos direct to Nova,
and weither use the token binding mechanism, or better yet, not even
provide a token...but that is more work.<br>
<br>
<br>
<br>
<blockquote
cite="mid:CAPyv74By+i9KtA0miX1qjTKGBf6sjL5nxkF8SFtKhK0wRNZuxw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px"><br>
<ol start="2" style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr"
style="margin-left:15px;list-style-type:decimal;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">What
does keystone do with Kerberos ticket/credentials?
Does Keystone authenticates the users and gives them
direct access to other services such as Nova, Swift
etc..</span></p>
</li>
</ol>
<br>
</div>
</div>
</blockquote>
THey are used for authentication, and then the Keystone server uses
the principal to resolve the username and user id. The rest of the
data comes out of LDAP.<br>
<br>
<br>
<blockquote
cite="mid:CAPyv74By+i9KtA0miX1qjTKGBf6sjL5nxkF8SFtKhK0wRNZuxw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px">
<ol start="3" style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr"
style="margin-left:15px;list-style-type:decimal;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">After
receiving the Ticket from the KDC does keystone embed
some kerberos credential information in the token?</span></p>
</li>
</ol>
</div>
</div>
</blockquote>
No, it is mapped to the Openstack userid and username<br>
<br>
<blockquote
cite="mid:CAPyv74By+i9KtA0miX1qjTKGBf6sjL5nxkF8SFtKhK0wRNZuxw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px"><br>
<ol start="4" style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr"
style="margin-left:15px;list-style-type:decimal;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">What
information does the service (e.g.Nova) see in the
Ticket and the token (Does the token have some
kerberos info or some customized info inside it?).</span></p>
</li>
</ol>
</div>
</div>
</blockquote>
<br>
No kerberos ticket goes to Nova.<br>
<br>
<blockquote
cite="mid:CAPyv74By+i9KtA0miX1qjTKGBf6sjL5nxkF8SFtKhK0wRNZuxw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px"><br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">If
you could share your insights and guide me on this. I
would be really appreciate it. Thank you all for your
time.</span></p>
<br>
</div>
</div>
</blockquote>
<br>
Let me know if you have more questions. Really let me know if you
want to help coding.<br>
<br>
<br>
<blockquote
cite="mid:CAPyv74By+i9KtA0miX1qjTKGBf6sjL5nxkF8SFtKhK0wRNZuxw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Regards,</span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Sanket
Lawangare</span></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>