[openstack-dev] Kerberos in OpenStack
Adam Young
ayoung at redhat.com
Tue Feb 24 19:26:26 UTC 2015
On 02/24/2015 01:53 PM, Sanket Lawangare wrote:
> Hello Everyone,
>
> My name is Sanket Lawangare. I am a graduate Student studying at The
> University of Texas, at San Antonio.For my Master’s Thesis I am
> working on the Identity component of OpenStack. My research is to
> investigate external authentication with Identity(keystone) using
> Kerberos.
>
>
> Based on reading Jammie lennox's Blogs on Kerberos implementation in
> OpenStack and my understanding of Kerberos I have come up with a
> figure explaining possible interaction of KDC with the OpenStack
> client, keystone and the OpenStack services(Nova, Cinder, Swift...).
>
> These are the Blogs -
>
> http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
>
> http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/
>
> I am trying to understand the working of Kerberos in OpenStack.
>
>
> Please click this link to view the figure:
> https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing
>
>
> P.S. - [The steps in this figure are self explanatory the basic
> understanding of Kerberos is expected]
>
>
> Based on the figure i had couple of questions:
>
>
> 1.
>
> Is Nova or other services registered with the KDC?
>
Not yet. Kerberos is only used for Keystone at the moment, with work
underway to make Horizon work with Keystone. Since many of the services
only run in Eventlet, not in HTTPD, Kerberos support is hard to
support. Ideally, yes, we would do Kerberos direct to Nova, and weither
use the token binding mechanism, or better yet, not even provide a
token...but that is more work.
>
> 2.
>
> What does keystone do with Kerberos ticket/credentials? Does
> Keystone authenticates the users and gives them direct access to
> other services such as Nova, Swift etc..
>
>
THey are used for authentication, and then the Keystone server uses the
principal to resolve the username and user id. The rest of the data
comes out of LDAP.
> 3.
>
> After receiving the Ticket from the KDC does keystone embed some
> kerberos credential information in the token?
>
No, it is mapped to the Openstack userid and username
>
> 4.
>
> What information does the service (e.g.Nova) see in the Ticket and
> the token (Does the token have some kerberos info or some
> customized info inside it?).
>
No kerberos ticket goes to Nova.
>
> If you could share your insights and guide me on this. I would be
> really appreciate it. Thank you all for your time.
>
>
Let me know if you have more questions. Really let me know if you want
to help coding.
> Regards,
>
> Sanket Lawangare
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150224/e5f3587e/attachment.html>
More information about the OpenStack-dev
mailing list