[openstack-dev] Horizon, Keystone, Kerberos, and Federation

Adam Young ayoung at redhat.com
Fri May 23 21:48:57 UTC 2014


I've been looking in to enabling  Kerberos for Horizon.  Since Horizon 
passes the Users credentials on to Keystone to get a token, Kerberos 
requires an additional delegation mechanism.  This leads to some 
questions about how to handle delegation in the case of Federated Identity.


In Kerberos, the Horizon Django App would get a 
<strong>REMOTE_USER</strong> set by the Apache web server.  
<strong>REMOTE_USER</strong> by itself is not enough to send to Keystone 
to get a token.

Kerberos has a Delegation mechanism called <a 
href="http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/" 
title="Setting Up S4U2Proxy with FreeIPA">"Service for User to Proxy" 
(abbreviated as S4U2Proxy)</a> which would allow (only) Horizon to get a 
service ticket to Keystone on behalf of the user. I am pretty certain we 
can make this work without too much effort.

The exposure of a hacked Horizon set up this way would be limited to 
those active service tickets in the webserver.  Since Kerberos tickets 
are typically 8 hours in duration, the hacker would have full access to 
Keystone and Keystone only for any use that had logged in in the past 8 
hours, or that logged in while the attack was running.  Essentially, it 
would be the same exposure as the current Horizon model would have; both 
ticket duration and token duration are configurable.

If Horizon under Kerberos falls back to a user-id/password mechanism, 
the Horizon server could fetch a much more powerful Ticket Granting 
Ticket (TGT) for the user and use that to get a service ticket.  The 
exposure for this is much greater;  a successful hacker could 
impersonate the user to <em>all</em> services.  Unfortunately, business 
requirements often demand a fallback to UserID/Password for users with 
limited ability to administer their own machines. mod_auth_krb5 provides 
a means to use userid and password, and there are form based approaches, 
too.

For SAML we would need a comparable delegation mechanism.   If Horizon 
were authorized to access Keystone on the behalf of the user, and it 
provided the original SAML Assertion, we would have the same exposure as 
the S4U2Proxy case.  SAML assertion are time limited, so the Hacked 
Horizon instance would only be able to access Keystone, and only for the 
duration of the SAML assertions.

In both cases, the exposure would be better than today using 
User-Id/Password to get tokens from Horizon in the deployments when the 
tokens have a default  lifetime of 12 hours.  Whereas as sniffed 
password would be usable indefinitely, a stolen assertion or service 
ticket would only be usable for the life of the ticket or assertion, and 
on so long as the Horizon service itself is still compromised.

The Keystone default token duration has been shortened to one hour, and 
a corresponding Service ticket policy would make sense:  limit Kerberos 
Service tickets or SAML assertions to access Horizon to one hour.

I'm digging into X509 client certificates as well, but there does not 
seem to be as clear a story there.  I think the short of it is 
"theoretically possible" but may be impractical.





More information about the OpenStack-dev mailing list