[openstack-dev] Kerberization of Horizon (kerbhorizon?)

Gabriel Hurley Gabriel.Hurley at nebula.com
Wed Jun 4 19:10:32 UTC 2014


I've implemented Kerberos (via Apache) + Django once before, and yes, taking this as pseudo-code you're on the right track. Obviously the devil is in the details and you'll work out the particulars as you go.

The most important bit (obviously) is just making absolutely sure your REMOTE_USER header/environment variable is trusted, but that's outside the Django layer.

Assuming that you can work out "with the other parameters from the original call going into auth, session, or client as appropriate" as you said then you should be fine.

All the best,


-          Gabriel

From: Adam Young [mailto:ayoung at redhat.com]
Sent: Wednesday, June 04, 2014 11:53 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] Kerberization of Horizon (kerbhorizon?)

OK,  so I'm cranking on All of the Kerberso stuff: plus S4U2Proxy work etc....except that I have never worked with DJango directly before.  I want to get a sanity check on my approach:

Instead of "authenticating" to Keystone, Horizon will use mod_auth_krb5 and REMOTE_USER to authenticate the user.  Then, in order to get a Keystone token, the code in openstack_dashboard/api/keystone.py:keystoneclient   needs to fetch a token for the user.

This will be done using a Kerberized Keystone and S4U2Proxy setup.  There are alternatives using TGT delegation that I really want to have nothing to do with.

The keystoneclient call currently does:


        conn = api_version['client'].Client(token=user.token.id,
                                            endpoint=endpoint,
                                            original_ip=remote_addr,
                                            insecure=insecure,
                                            cacert=cacert,
                                            auth_url=endpoint,
                                            debug=settings.DEBUG)

when I am done it would do:
from keystoneclient.contrib.auth.v3 import kerberos
...

if  REMOTE_USER:
    auth = kerberos.Kerberos(OS_AUTH_URL)
else:
    auth = v3.auth.Token(token=user.token.id)

sess=session.Session(kerb_auth, verify=OS_CACERT)
conn = client.Client(session=sess, region_name='RegionOne')



(with the other parameters from the original call going into auth, session. or client as appropriate)


Am I on track?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140604/b5a931be/attachment.html>


More information about the OpenStack-dev mailing list