<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Posting response to the mailing list, as I suspect others have these
questions.<br>
<br>
<blockquote
cite="mid:CAPyv74BBh7CyXpJviBBcKQjM2916Sc+M3LHOxnsun5fJNzBqPQ@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"> I understand that in
the current proposed implementation only keystone runs on
apache- httpd. </div>
<div style="font-size:12.8000001907349px"><b><br>
</b></div>
<div style="font-size:12.8000001907349px"><b>1. My question is
that- is it possible to move Nova server on the apache-httpd
server just like the way keystone server is running?? And if
not then what are the technical challanges moving it?? </b><span
style="font-size:12.8000001907349px"> If these services had
the mod_auth_kerb module they would be able validate the
token. <br>
</span></div>
</div>
</blockquote>
<br>
My Keystone work was based on a Web page where where someone did
exactly this. I don't know what it would take to make it happend
today, but it should be posible.<br>
<br>
Much of Nova is dealing with Eventlet and the monkeypatching,.
Ideally, this code would be implemented in one place and then a
single boolean at startup could say "monkeypatch" or "no" ; this
is what Keystone does. <br>
<br>
Nova has more of a dependency on Eventlet than Keystone does, as
Nova has to deal with reading messages from the message queue. THis
is done using a dedicated greenthread, and I don;t know how this
would look in an HTTPD setup.<br>
<br>
<blockquote
cite="mid:CAPyv74BBh7CyXpJviBBcKQjM2916Sc+M3LHOxnsun5fJNzBqPQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"><b>2.Also, I was
curious to know if you tried to add the keystone middleware
to nova and the other services?? In this way Keystone can
itself act as KDC.</b></div>
</div>
</blockquote>
<br>
Not sure what you mean here. Keystone already has middleware
running in Nova. Keystone Data is more like a Kerberos PAC than a
service ticket. Keystone tokens are not limited to endpoints, and
even if they were, we need to pass a token from one endpoint to
another for certain workflows.<br>
<br>
<blockquote
cite="mid:CAPyv74BBh7CyXpJviBBcKQjM2916Sc+M3LHOxnsun5fJNzBqPQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">Thanks,</div>
<div><span style="font-size:12.8000001907349px">Sanket</span> </div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 25, 2015 at 12:39 PM,
Sanket Lawangare <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sanket.lawangare@gmail.com" target="_blank">sanket.lawangare@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thank you for replying back Adam. Would let
you if i have any further doubts on it (I am pretty sure
i will have many).<span><font color="#888888">
<div><br>
</div>
<div>Sanket</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Feb 24, 2015 at
1:26 PM, Adam Young <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com"
target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<div>On 02/24/2015 01:53 PM, Sanket
Lawangare wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><span
style="font-size:12.8000001907349px">Hello
Everyone,</span>
<div
style="font-size:12.8000001907349px"><br>
</div>
<div
style="font-size:12.8000001907349px">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">My
name is Sanket Lawangare. I am a
graduate Student studying at The
University of Texas, at San
Antonio.</span><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">
For my Master’s Thesis I am
working on the Identity component
of OpenStack. My research is to
investigate external
authentication with
Identity(keystone) using Kerberos.</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Based
on reading Jammie lennox's Blogs
on Kerberos implementation in
OpenStack and my understanding of
Kerberos I have come up with a
figure explaining possible
interaction of KDC with the
OpenStack client, keystone and the
OpenStack services(Nova, Cinder,
Swift...). </span></p>
<p
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">These
are the Blogs - </span></p>
<p
style="margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;background-color:transparent"><font
color="#000000" face="Arial"><span
style="font-size:15px;line-height:20.7000007629395px;white-space:pre-wrap"><a
moz-do-not-send="true"
href="http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/"
target="_blank">http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/</a></span></font></span></p>
<p
style="margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;background-color:transparent"><font
color="#000000" face="Arial"><a
moz-do-not-send="true"
href="http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/"
target="_blank">http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/</a><br>
</font></span></p>
<p
style="margin-top:0pt;margin-bottom:0pt"><span
style="color:rgb(0,0,0);font-family:Arial;font-size:15px;white-space:pre-wrap;line-height:1.38;background-color:transparent">I
am trying to understand the
working of Kerberos in OpenStack.
</span><br>
</p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Please
click this link to view the
figure: </span><a
moz-do-not-send="true"
href="https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing"
style="text-decoration:none"
target="_blank"><span
style="font-size:15px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing</span></a></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">P.S.
- [The steps in this figure are
self explanatory the basic
understanding of Kerberos is
expected]</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Based
on the figure i had couple of
questions:</span></p>
<br>
<ol
style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr"
style="margin-left:15px;list-style-type:decimal;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Is
Nova or other services
registered with the KDC?</span></p>
</li>
</ol>
</div>
</div>
</blockquote>
</span> Not yet. Kerberos is only used for
Keystone at the moment, with work underway to
make Horizon work with Keystone. Since many
of the services only run in Eventlet, not in
HTTPD, Kerberos support is hard to support.
Ideally, yes, we would do Kerberos direct to
Nova, and weither use the token binding
mechanism, or better yet, not even provide a
token...but that is more work.<span><br>
<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div
style="font-size:12.8000001907349px"><br>
<ol start="2"
style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr"
style="margin-left:15px;list-style-type:decimal;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">What
does keystone do with Kerberos
ticket/credentials? Does
Keystone authenticates the
users and gives them direct
access to other services such
as Nova, Swift etc..</span></p>
</li>
</ol>
<br>
</div>
</div>
</blockquote>
</span> THey are used for authentication, and
then the Keystone server uses the principal to
resolve the username and user id. The rest of
the data comes out of LDAP.<span><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div
style="font-size:12.8000001907349px">
<ol start="3"
style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr"
style="margin-left:15px;list-style-type:decimal;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">After
receiving the Ticket from the
KDC does keystone embed some
kerberos credential
information in the token?</span></p>
</li>
</ol>
</div>
</div>
</blockquote>
</span> No, it is mapped to the Openstack
userid and username<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div
style="font-size:12.8000001907349px"><br>
<ol start="4"
style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr"
style="margin-left:15px;list-style-type:decimal;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">What
information does the service
(e.g.Nova) see in the Ticket
and the token (Does the token
have some kerberos info or
some customized info inside
it?).</span></p>
</li>
</ol>
</div>
</div>
</blockquote>
<br>
</span> No kerberos ticket goes to Nova.<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div
style="font-size:12.8000001907349px"><br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">If
you could share your insights and
guide me on this. I would be
really appreciate it. Thank you
all for your time.</span></p>
<br>
</div>
</div>
</blockquote>
<br>
</span> Let me know if you have more
questions. Really let me know if you want to
help coding.<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Regards,</span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Sanket
Lawangare</span></p>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for
usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>