[openstack-dev] [openstack-ansible][keystone] Federation beyond Shibboleth

Adam Young ayoung at redhat.com
Wed Aug 19 20:54:31 UTC 2015


On 08/19/2015 04:23 AM, Jesse Pretorius wrote:
>
> On 12 August 2015 at 18:48, Adam Young <ayoung at redhat.com 
> <mailto:ayoung at redhat.com>> wrote:
>
>
>     The simplest one is Kerberos + SSSD;
>
>     Kerberos provides Authentication.
>     mod_lookup_identity uses SSSD to get Groups.  It turns LDAP into
>     another  Federated identity, much simpler than the LDAP code in
>     Keystone (I am responsible for that mess).
>
>     We are working on automating this via Ansible on top of a
>     RHEL/Centos 7 install to demo in Tokyo.
>
>     I am not certain if all the pieces are in place yet for Debian
>     based install.  Specifically, it needs an updated sssd-dbus package.
>
>     We also have mod_mellon and Ipsilon working, as Jamie demo'ed at
>     Pycon AU.
>
>
> Sounds great!
>
> Would you be prepared to put together some WIP reviews to add those to 
> the Keystone role in openstack-ansible? Even if they're non-working 
> sketches that we can work from and iterate on, that'd be great.

Our sample code is here:

https://github.com/jamielennox/rippowam



I wrote up a README for what we are doing:

https://github.com/admiyo/rippowam/blob/master/README.rst


The stuff you care about is here:

Setting up SSSD
https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/infopipe.yml

And 
https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/keystone-sssd.yml


>
> Note that we're looking at implementing some changes to broaden the 
> platform support too. We're moving some of the pieces into place for 
> the liberty [1] release and I'll be putting my thoughts down on 
> multi-platform host enablement [2] soon. Also, considering that it'd 
> be easier to comprehend, consume and iterate the ansible roles if they 
> were independent consumable units I've also proposed [3][4] to break 
> them out into their own repositories. It'd be great if you could 
> provide your input.
>
> [1] https://blueprints.launchpad.net/openstack-ansible/+spec/liberty
> [2] 
> https://blueprints.launchpad.net/openstack-ansible/+spec/multi-platform-host
> [3] 
> https://blueprints.launchpad.net/openstack-ansible/+spec/independent-role-repositories
> [4] https://review.openstack.org/213779
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150819/71f3bb65/attachment.html>


More information about the OpenStack-dev mailing list