[openstack-dev] Kerberization of Horizon (kerbhorizon?)
ayoung at redhat.com
Wed Jun 4 19:43:01 UTC 2014
On 06/04/2014 03:10 PM, Gabriel Hurley wrote:
> I've implemented Kerberos (via Apache) + Django once before, and yes,
> taking this as pseudo-code you're on the right track. Obviously the
> devil is in the details and you'll work out the particulars as you go.
> The most important bit (obviously) is just making absolutely sure your
> REMOTE_USER header/environment variable is trusted, but that's outside
> the Django layer.
> Assuming that you can work out "with the other parameters from the
> original call going into auth, session, or client as appropriate" as
> you said then you should be fine.
Thanks. One part I'm not really sure about was if it is OK to skip
adding a token to the session before calling on the keystone code. It
seems like the django_openstack_auth code creates a user object and adds
that to the session. I don't want any of the login forms from that
package. I'm guessing that I would really need to write
django-openstack-kerberos-backend to merge the logic from
RemoteUserBackend with django_openstack_auth; I think I want the logic
> All the best,
> *From:*Adam Young [mailto:ayoung at redhat.com]
> *Sent:* Wednesday, June 04, 2014 11:53 AM
> *To:* OpenStack Development Mailing List
> *Subject:* [openstack-dev] Kerberization of Horizon (kerbhorizon?)
> OK, so I'm cranking on All of the Kerberso stuff: plus S4U2Proxy work
> etc....except that I have never worked with DJango directly before. I
> want to get a sanity check on my approach:
> Instead of "authenticating" to Keystone, Horizon will use
> mod_auth_krb5 and REMOTE_USER to authenticate the user. Then, in order
> to get a Keystone token, the code in
> openstack_dashboard/api/keystone.py:keystoneclient needs to fetch a
> token for the user.
> This will be done using a Kerberized Keystone and S4U2Proxy setup.
> There are alternatives using TGT delegation that I really want to have
> nothing to do with.
> The keystoneclient call currently does:
> conn = api_version['client'].Client(token=user.token.id,
> when I am done it would do:
> from keystoneclient.contrib.auth.v3 import kerberos
> if REMOTE_USER:
> auth = kerberos.Kerberos(OS_AUTH_URL)
> auth = v3.auth.Token(token=user.token.id)
> (with the other parameters from the original call going into auth,
> session. or client as appropriate)
> Am I on track?
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev