More or less. I think it only really ties into the API in so far as a tighter integration between keystone and instance authentication can allow for a cleaner user experience. <br><br>Added benefit<br><br> Unlike injected keys, a keystone tie into authentication would be able to disable instance authentication in the event a user in a shared project was removed.<br>
<br>-Matt<br><br><div class="gmail_quote">On Sat, Jul 14, 2012 at 12:53 PM, Joseph Heck <span dir="ltr"><<a href="mailto:heckj@mac.com" target="_blank">heckj@mac.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">Thanks Matt - interesting detail, and a bit beyond what I was originally asking :-) I<div><br></div><div>'m not sure I understand the benefit you're getting with the cross-realm setup and how you'd want to deploy it. I think the description detail below is primarily concerned with pure authentication - more into the instances that you might spin up than just accessing OpenStack APIs, and not asserting anything about mapping groups in AD to either roles or projects. Am I reading that correctly?<div>
<br></div><div>- joe</div><div><div class="h5"><div><div><br><div><div>On Jul 14, 2012, at 12:12 PM, Matt Joyce wrote:</div><blockquote type="cite">One thing I'd love to see eventually with Active Directory would be kerberos ticket passing and mapping to authentication tokens in keystone.<br>
<br>We discussed an early integration effort with keystone at one customer site and we got to the point where we decided the best means of handling it ( at the time ) was to simply setup a Kerb 5 KDC with a cross realm trust to the AD environment then perform a binary check against the kdc for pass / user and pull the rest of the posix data from local keystone ldap.<br>
<br>What I would like to see eventually is a means of authenticating to AD via keystone and getting the kerb 5 ticket passed to user instances so that users can perform passwordless gssapi ticket auth. Also query the keystone API once authenticated for a keystone auth token and all of the associated env data for the user to use client apis. <br>
<br>Along these same lines... I really want to see the keystone ec2 url path placed into the metadata api so that instances can query the path to the Keystone API. I think I am just going to go ahead and submit a patch for that. It really should be there. I know some folks disagree with that, but I think the benefits outweigh the academic arguments vastly.<br>
<br>-Matt<br><br><div class="gmail_quote">On Sat, Jul 14, 2012 at 11:55 AM, Joseph Heck <span dir="ltr"><<a href="mailto:heckj@mac.com" target="_blank">heckj@mac.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Good morning,<br>
<br>
I wanted to solicit some detail from y'all as operators. I'm starting in on development for a Keystone backend that does basic Authentication against an existing active directory.<br>
<br>
Looking forward past basic authentication, there's several potentials in how to implement this, and I'm curious among several possibilities what you all would find most useful. I'd love feedback on which of these you'd find most useful, and of course if there's a variation on the theme that would "rock your world", please tell me about it.<br>
<br>
1) no explicit mapping to active directory groups, projects and roles managed externally to active directory, with a users in active directory getting assigned to those projects and roles, but using the credentials (userid/password) from active directory.<br>
<br>
2) using active directory groups to assign roles to users, regardless of tenant. This would be storing "projects" and links of users to projects external to active directory, but using active directory groups to define what "roles" a user should have within their project(s).<br>
<br>
3) using active directory groups to represent projects, with membership in the group simply implying a "membership" style role with broad capabilities in the project.<br>
<br>
The quandary I'm facing is that I'm not sure how y'all are using groups and what they represent to you, and what that *could* mean to an OpenStack deployment in your organization. Any and all feedback welcome - either back to this list, or directly to me: Joe Heck (<a href="mailto:heckj@mac.com" target="_blank">heckj@mac.com</a>)<br>
<br>
-joe<br>
Keystone PTL<br>
<br>
<br>
_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
</blockquote></div><br>
</blockquote></div><br></div></div></div></div></div></div></blockquote></div><br>