[Openstack] AuthN/AuthZ
Adam Young
ayoung at redhat.com
Wed May 15 19:57:32 UTC 2013
Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk
to AD.
On 05/14/2013 06:11 PM, Aaron Knister wrote:
> *bump*
>
> Here's the tl;dr version:
>
> - How have other folks handled integration of OpenStack with existing
> authN/authZ infrastructures? I'm particularly interested in the
> automatic mapping of existing LDAP groups to roles/tenants within
> openstack.
> - Are there plans to add support for the auth plugins to the *client
> modules and CLI tools going forward? I'd be interested in contributing
> this if it's on the roadmap and hasn't been done yet.
> - Are there plans to add support for auth plugins/external au th to
> Horizon? As above, I'm interested in implementing this if there's
> interest.
> - I see vague references in the documentation/*client code to using
> certificates for authentication (without the need for httpd external
> authentication) which would also eliminate the
> credentials-in-environment-
> variables issue. Is using PKI for authentication going to be
> supported? If so what's the status?
>
> Am I perhaps posting this to the wrong list? I didn't get any replies
> from my original post.
>
> Thanks!
>
> -Aaron
>
>
>
> On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knister at gmail.com
> <mailto:aaron.knister at gmail.com>> wrote:
>
> Hi Everyone,
>
> I'm looking for feedback and input about what other sites are
> doing for authentication and authorization with OpenStack.
>
> First, some background:
>
> I'm currently evaluating OpenStack (Grizzly), specifically working
> on integration with Active Directory. I'm unable to modify the
> schema to allow groupOfNames as a SUP of organizationalRole so
> I've implemented a workaround using openldap and several of its
> overlays backends to sit in front of AD. That all works just fine,
> however I really would like to be able to map AD groups to
> roles/tenants. I suspect I'll end up writing some code to do
> this-- shouldn't be too hard.
>
> Also on the subject of Active Directory, it's a show stopper for
> me to put un-encrypted AD credentials in environment variables to
> then pass to the various openstack CLI progs. My ideal workaround
> would be to use Kerberos authentication which I actually have
> working. I setup keystone to run under apache based on this
> documentation with some tweaks here and there:
>
> http://docs.openstack.org/developer/keystone/external-auth.html
>
> I created an openstack client auth plugin (based on the VOMS auth
> plugin) using requests_kerberos and this works well with the nova
> client, however none of the other client tools, including horizon,
> seem to support authentication plugins or the external
> authentication concept in general.
>
> So, here are my questions:
>
> - How have other folks handled integration of OpenStack with
> existing authN/authZ infrastructures? I'm particularly interested
> in the automatic mapping of existing LDAP groups to roles/tenants
> within openstack.
> - Are there plans to add support for the auth plugins to the
> *client modules and CLI tools going forward? I'd be interested in
> contributing this if it's on the roadmap and hasn't been done yet.
> - Are there plans to add support for auth plugins/external au th
> to Horizon? As above, I'm interested in implementing this if
> there's interest.
> - I see vague references in the documentation/*client code to
> using certificates for authentication (without the need for httpd
> external authentication) which would also eliminate the
> credentials-in-environment-variables issue. Is using PKI for
> authentication going to be supported? If so what's the status?
>
> Thanks in advance!
>
> -Aaron
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130515/a838d717/attachment.html>
More information about the Openstack
mailing list