[openstack-dev] Kerberos in OpenStack

Sanket Lawangare sanket.lawangare at gmail.com
Wed Feb 25 00:42:09 UTC 2015


Thanks a lot for taking out time and replying back Tim. Will let you know
if i have any further questions.

On Tue, Feb 24, 2015 at 1:22 PM, Tim Bell <Tim.Bell at cern.ch> wrote:

>  You may also get some information from how we set up Kerberos at CERN at
> http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html
>
>
>
> From my understanding, the only connection is between Keystone and KDC.
> There is a standard Keystone token issues based off the Kerberos ticket and
> the rest is the same as if a password had been supplied.
>
>
>
> Tim
>
>
>
> *From:* Sanket Lawangare [mailto:sanket.lawangare at gmail.com]
> *Sent:* 24 February 2015 19:53
> *To:* openstack-dev at lists.openstack.org
> *Subject:* [openstack-dev] Kerberos in OpenStack
>
>
>
> Hello  Everyone,
>
>
>
> My name is Sanket Lawangare. I am a graduate Student studying at The
> University of Texas, at San Antonio.* For my Master’s Thesis I am working
> on the Identity component of OpenStack. My research is to investigate
> external authentication with Identity(keystone) using Kerberos.*
>
>
>
> Based on reading Jammie lennox's Blogs on Kerberos implementation in
> OpenStack and my understanding of Kerberos I have come up with a figure
> explaining possible interaction of KDC with the OpenStack client, keystone
> and the OpenStack services(Nova, Cinder, Swift...).
>
> These are the Blogs -
>
>
> http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
>
> http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/
>
> I am trying to understand the working of Kerberos in OpenStack.
>
>
>
> Please click this link to view the figure:
> https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing
>
>
>
> P.S. - [The steps in this figure are self explanatory the basic
> understanding of Kerberos is expected]
>
>
>
> Based on the figure i had couple of questions:
>
>
>
> 1.     Is Nova or other services registered with the KDC?
>
>
>
> 2.     What does keystone do with Kerberos ticket/credentials? Does
> Keystone authenticates the users and gives them direct access to other
> services such as Nova, Swift etc..
>
>
>
> 3.     After receiving the Ticket from the KDC does keystone embed some
> kerberos credential information in the token?
>
>
>
> 4.     What information does the service (e.g.Nova) see in the Ticket and
> the token (Does the token have some kerberos info or some customized info
> inside it?).
>
>
>
> If you could share your insights and guide me on this. I would be really
> appreciate it. Thank you all for your time.
>
>
>
> Regards,
>
> Sanket Lawangare
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150224/8f7dc989/attachment.html>


More information about the OpenStack-dev mailing list