[openstack-dev] Kerberization of Horizon (kerbhorizon?)
Adam Young
ayoung at redhat.com
Wed Jun 4 18:53:03 UTC 2014
OK, so I'm cranking on All of the Kerberso stuff: plus S4U2Proxy work
etc....except that I have never worked with DJango directly before. I
want to get a sanity check on my approach:
Instead of "authenticating" to Keystone, Horizon will use mod_auth_krb5
and REMOTE_USER to authenticate the user. Then, in order to get a
Keystone token, the code in
openstack_dashboard/api/keystone.py:keystoneclient needs to fetch a
token for the user.
This will be done using a Kerberized Keystone and S4U2Proxy setup. There
are alternatives using TGT delegation that I really want to have nothing
to do with.
The keystoneclient call currently does:
conn = api_version['client'].Client(token=user.token.id,
endpoint=endpoint,
original_ip=remote_addr,
insecure=insecure,
cacert=cacert,
auth_url=endpoint,
debug=settings.DEBUG)
when I am done it would do:
from keystoneclient.contrib.auth.v3 import kerberos
...
if REMOTE_USER:||
||auth = kerberos.Kerberos(OS_AUTH_URL)||||
|else:|
||auth = v3.auth.Token(token=user.token.id)
|sess=session.Session(kerb_auth, verify=OS_CACERT)|||
|||conn = client.Client(session=sess, region_name='RegionOne') |
(with the other parameters from the original call going into auth,
session. or client as appropriate)
Am I on track?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140604/f8ed5a7e/attachment.html>
More information about the OpenStack-dev
mailing list