[openstack-dev] Keystone Apache2 Installation Question
Adam Young
ayoung at redhat.com
Mon Oct 14 20:22:27 UTC 2013
On 10/09/2013 08:43 PM, Fox, Kevin M wrote:
> Thanks for the docs. It looks like I got through all of that already, its the authentication module part that is throwing me.
>
> I managed to manually get a token by putting mod_krb5 on <Location /keystone/main/v2.0/tokens> and using curl against it, giving curl a username/password.
> If I try and give that generated token back though its failing because krb5 wants a username and password.
THat is not right. krb5 should use Negotiate, not basic auth, and you
should not need UID/PW in order to get a token
>
> I guess I need one endpoint url to take in a kerb5 username/password and give me a token.
No, a krb service ticket, not password
> another url to validate tokens I guess. Maybe that's what the split between main and admin is for though?
Validation probably should not be done via Kerberos, unless you have a
way to automatically update the service tickets for Nova etc. There are
mechanisms for doing that in the latest version of the GSSAPI, but I
would not expect it to be in the current RHEL6 or the latest LTS of
Ubuntu yet. So the validate calls need to go to an URL not protected
via Kerberos.
>
> And none of the clients seem to pass a basic auth username/password, so I'd have to modify all of those too? I think its a middleware thing though, so I might be able to tweak them all at once?
Correct. I am working on a patch for Basic-Auth in Icehouse, but it
won't be in Havana.
>
> Thanks,
> Kevin
> ________________________________________
> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [mark.m.miller at hp.com]
> Sent: Wednesday, October 09, 2013 5:17 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>
> Hi Kevin,
>
> It has been awhile, but here are some notes I took.
>
> Regards,
>
> Mark Miller
>
> ---------------------------------
>
> Keystone Apache2 frontend Installation and Configuration
>
> Instructions below are based off of documentation/examples from URL https://keystone-voms.readthedocs.org/en/latest/requirements.html
> Install Apache2 WSGI with mod_ssl enabled. To do so, install the packages, and enable the relevant modules:
> sudo apt-get install apache2 libapache2-mod-wsgi
> sudo a2enmod ssl
> sudo ufw disable #Note: not sure if need to disable firewall
>
> Then configure your Apache server to use CA certificates. If you have some installed in the default location, enable the default-ssl site (a2ensite default-ssl) and modify its configuration file (normally in /etc/apache2/sites-enabled/default-ssl). If not, create configuration file "/etc/apache2/sites-enabled/keystone" for your keystone installation.
> Note: I created file "/etc/apache2/sites-enabled/keystone" shown below.
> Example:
> WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10
>
> Listen 5000
> <VirtualHost _default_:5000>
> LogLevel info
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
>
> SSLEngine on
> SSLCertificateFile /etc/ssl/certs/apache.cert
> SSLCertificateKeyFile /etc/ssl/private/apache.key
>
> SSLCACertificatePath /etc/ssl/certs
> SSLCARevocationPath /etc/ssl/certs
> SSLVerifyClient optional
> SSLVerifyDepth 10
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLOptions +StdEnvVars +ExportCertData
>
> WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main
> WSGIProcessGroup keystone
> </VirtualHost>
>
> Listen 35357
> <VirtualHost _default_:35357>
> LogLevel info
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
>
> SSLEngine on
> SSLCertificateFile /etc/ssl/certs/apache.cert
> SSLCertificateKeyFile /etc/ssl/private/apache.key
>
>
> SSLCACertificatePath /etc/ssl/certs
> SSLCARevocationPath /etc/ssl/certs
> SSLVerifyClient optional
> SSLVerifyDepth 10
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLOptions +StdEnvVars +ExportCertData
>
> WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin
> WSGIProcessGroup keystone
> </VirtualHost>
>
> Note1: By changing settings in this file you can turn on and off the Apache2-SSL frontend to Keystone (variable SSL_Engine).
> Note2: The "[ssl]" section of file "keystone.conf" needs to match this file in that if SSL is turned on in one of them, then it needs to be turned on in the other.
> To run keystone as a WSGI app, copy file "keystone.py" to the correct location and create links to it.
> sudo mkdir -p /usr/lib/cgi-bin/keystone
> sudo cp /<path>/keystone-2013.2.b2/httpd/keystone.py /usr/lib/cgi-bin/keystone/keystone.py
> sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/main
> sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/admin
>
> If the keystone service is running, shut it down. The Apache2 service will now start up as many instances of keystone as are specified on the first line of file "/etc/apache2/sites-enabled/keystone".
> sudo service keystone stop
>
> Adjust the "keystone.py" file to point to your keystone configuration file "if" it is not in the default location (i.e. "/etc/keystone/keystone.conf").
> Note: I did not make any changes to file keystone.py.
> Add variable OPENSSL_ALLOW_PROXY_CERTS to your Apache2 environment file "/etc/apache2/ envvars" so that X.509 proxy certificates are accepted by OpenSSL.
> export OPENSSL_ALLOW_PROXY_CERTS=1
>
> If you don't have server certificates for your Apache2 server, generate your own self-signed certificates following instructions from URL:
> https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04
> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache.key -out /etc/ssl/certs/apache.cert
> When prompted, use the name of your server for the common name.
> Country Name (2 letter code) [AU]:US
> State or Province Name (full name) [Some-State]:Oregon
> Locality Name (eg, city) []:Corvallis
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hewlett-Packard
> Organizational Unit Name (eg, section) []:CloudOS
> Common Name (e.g. server FQDN or YOUR name) []:havanatest
> Email Address []:mark.m.miller at hp.com
>
> Add the server name to your "/etc/hosts" file.
> 127.0.1.1 havanatest
>
> Add the full IP address and server name to your REST client computer's "/etc/hosts" file. The name in the REST client URL must match the name of the server/common-name found in the certificate.
> 15.253.57.66 havanatest
>
> I ran into a problem with the Apache2 server startup because it was not able to reliably determine my test server's fully qualified domain name. Following instructions from the following URL allowed me to bypass this issue by adding the server name to file "/etc/apache2/httpd.conf".
>
> http://aslamnajeebdeen.com/blog/how-to-fix-apache-could-not-reliably-determine-the-servers-fully-qualified-domain-name-using-127011-for-servername-error-on-ubuntu
>
> Example:
> servername havanatest
>
> Finally, restart the Apache2 service and check to see that apache2 and keystone are running.
>
> sudo service apache2 restart
>
> ps -ef | grep apache2
> root 4463 1 1 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 4464 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4468 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4469 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4470 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 4471 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> www-data 4472 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> root 4564 2483 0 10:41 pts/2 00:00:00 grep --color=auto apache2
>
> ps -ef | grep keystone
> keystone 4468 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4469 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> keystone 4470 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
> root 4566 2483 0 10:42 pts/2 00:00:00 grep --color=auto keystone
>
> With the above configuration and assuming that the Keystone host is "havanatest", the Keystone endpoint URLs will be as follow:
> * https:// havanatest:5000/v3
> * https:// havanatest:35357/v3
>
>
>
>
>> -----Original Message-----
>> From: Fox, Kevin M [mailto:kevin.fox at pnnl.gov]
>> Sent: Wednesday, October 09, 2013 4:59 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> I've just started playing around with Keystone under Apache. I have
>> managed to get it embedded now and all services talking to it.
>>
>> Now, I'm trying to get it to do apache authentication. The documentation
>> states that it should honor REMOTE_USER if its present.
>>
>> The default wsgi-keystone.conf has this in it:
>> <Location "/keystone">
>> NSSRequireSSL
>> Authtype none
>> </Location>
>>
>> Which Locations do you put Apache auth plugins on? Putting it on all of
>> /keystone seems wrong. I tried putting it only on <Location
>> "/keystone/main/v2.0/tokens"> and that didn't work either...
>>
>> Looking at the token api, it doesn't look like it does basic auth at all, expecting
>> the username/password to be passed through a json document? So perhaps
>> what I am trying to do will never work? Do I have to set some flag to get
>> python-keystoneclient/Dashboard to pass the username/password as
>> basicauth instead of in a json form?
>>
>> Thanks,
>> Kevin
>>
>>
>>
>> ________________________________________
>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> [mark.m.miller at hp.com]
>> Sent: Monday, August 12, 2013 4:17 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> Progress: Got Keystone working under Apache2 with HTTP based on the
>> following 2 URLs . HTTPS is the next.
>>
>> https://keystone-voms.readthedocs.org/en/latest/requirements.html
>> https://www.digitalocean.com/community/articles/how-to-create-a-ssl-
>> certificate-on-apache-for-ubuntu-12-04
>>
>> Mark
>>
>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> Sent: Monday, August 12, 2013 3:10 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> Looks like I may be ahead of the game. It doesn't look like this blueprint has
>> been started yet. Am I correct?
>>
>> https://blueprints.launchpad.net/devstack/+spec/devstack-setup-apache-
>> keystone
>>
>> A very valuable feature of Keystone is to configure it to leverage apache as
>> its front end. As a means of demonstrating how this works, and to facilitate
>> automated testing of this configuration in the future, support to devstack will
>> be added to enable it to optionally install and configure keystone using
>> apache as it front end. The design approach used will be that described in the
>> keystone docs:
>> https://github.com/openstack/keystone/blob/master/doc/source/apache-
>> httpd.rst
>> Thanks,
>>
>> Mark
>>
>>
>>
>> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> Sent: Monday, August 12, 2013 1:45 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> The commands/libraries do not exist for Ubuntu, Keystone no longer starts
>> up, directories between the sets of documents do not match, ...
>>
>> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
>> Sent: Monday, August 12, 2013 1:41 PM
>> To: OpenStack Development Mailing List
>> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
>>
>> What problem(s) are you running into when following the above
>> documentation / examples?
>>
>> On Mon, Aug 12, 2013 at 3:32 PM, Miller, Mark M (EB SW Cloud - R&D -
>> Corvallis) <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
>> Hello,
>>
>> I am looking for documentation on how to install/configure Apache2 as the
>> Keystone front end for "Ubuntu 12.04". I have found various documentation
>> snippets for a variety of applications and operating systems, but nothing for
>> Ubuntu. Any pointers would greatly be appreciated. I have been trying to
>> piece the installation/configuration from the following URLs but have yet to
>> be successful.
>>
>> http://docs.openstack.org/developer/keystone/apache-
>> httpd.html#keystone-configuration
>> https://keystone-voms.readthedocs.org/en/latest/requirements.html
>> https://github.com/enovance/keystone-wsgi-
>> apache/blob/master/provision.sh
>> http://adam.younglogic.com/2012/04/keystone-httpd/
>>
>> Regards,
>>
>> Mark
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org<mailto:OpenStack-
>> dev at lists.openstack.org>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> --
>>
>> -Dolph
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list