[openstack-dev] Kerberization (and PKI-rization) of Horizon

Adam Young ayoung at redhat.com
Mon Apr 20 14:20:52 UTC 2015


On 04/19/2015 06:05 PM, Diogenes S. Jesus wrote:
> Hi man.
>
> I've seen your thread 
> <http://lists.openstack.org/pipermail/openstack-dev/2014-June/036733.html> 
> on OpenStack mailing list regarding using Kerberos  on Horizon.
>
> I've been pulling my hair around this topic, however I'm trying to 
> authenticate using X.509.
>
> I've googled around and found only topics related to keystone external 
> auth - but that doesn't really solve the problem, because horizon is 
> the one handling the request.
>
> If you've reached  good level on this topic or can point out to some 
> third-party solution I would be glad.
>
Diogenes,

Thanks for asking this.  It is a question that has come up a few times, 
and should be addressed.

I think the right approach is to use Federation, in the same way that I 
protoyped here:

http://adam.younglogic.com/2015/04/horizon-websso-sssd/

The short of it is that you would use the Mapped plugin for the 'X509' 
protocol instead of Kerberos (maybe `clientcert` is a better name?)  and 
Have a section in your httpd section for Keystone that has (among other 
settings)

|||<location ~ ||"x509"| |>|
Require valid-user
SSLRequireSSL
|SSLVerifyClient require
|</location>


You would then provide values in the mapping that use the SSL Variables, 
such as SSL_CLIENT_S_DN instead of REMOTE_USER


For the user database, we have support coming in Kilo for mapping to an 
existing user, so you should be able to work with some version of the 
LDAP backend for that, but I would suggest you look at the SSSD approach 
for LDAP integration instead, as it will be usable both for Keystone and 
for the VMs running managed by Nova (both Undercloud AND cloud 
Authentication)

I haven't prototyped Client Cert authentication yet, unfortunately. I 
would love to know if it does work, and would be willing to help work 
through the gotcha's.



> Thanks!
>
>
> -- 
>
> --------
>
> Diogenes S. de Jesus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150420/03394657/attachment.html>


More information about the OpenStack-dev mailing list