Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio. For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos. Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). These are the Blogs - http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/ I am trying to understand the working of Kerberos in OpenStack. Please click this link to view the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected] Based on the figure i had couple of questions: 1. Is Nova or other services registered with the KDC? 1. What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova, Swift etc.. 1. After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token? 1. What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?). If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time. Regards, Sanket Lawangare -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150224/7d0e1b95/attachment.html>