[openstack-dev] Kerberos in OpenStack

Adam Young ayoung at redhat.com
Mon Mar 2 20:28:43 UTC 2015


Posting response to the mailing list, as I suspect others have these 
questions.

>
>
>  I understand that in the current proposed implementation only 
> keystone runs on apache- httpd.
> *
> *
> *1.  My question is that- is it possible to move Nova server on the 
> apache-httpd server just like the way keystone server is running?? And 
> if not then what are the technical challanges moving it?? * If these 
> services had the mod_auth_kerb module they would be able validate the 
> token.

My Keystone work was based on a Web page where where someone did exactly 
this.  I don't know what it would take to make it happend today, but it 
should be posible.

Much of Nova is dealing with Eventlet and the monkeypatching,. Ideally, 
this code would be implemented in one place and then a single boolean at 
startup could say "monkeypatch"  or "no" ;  this is what Keystone does.

Nova has more of a dependency on Eventlet than Keystone does, as Nova 
has to deal with reading messages from the message queue.  THis is done 
using a dedicated greenthread, and I don;t know how this would look in 
an HTTPD setup.

>
> *2.Also, I was curious to know if you tried to add the keystone 
> middleware to nova and the other services?? In this way Keystone can 
> itself act as KDC.*

Not sure what you mean here.  Keystone already has middleware running in 
Nova.  Keystone Data is more like a Kerberos  PAC than a service 
ticket.  Keystone tokens are not limited to endpoints, and even if they 
were, we need to pass a token from one endpoint to another for certain 
workflows.

>
> Thanks,
> Sanket
>
> On Wed, Feb 25, 2015 at 12:39 PM, Sanket Lawangare 
> <sanket.lawangare at gmail.com <mailto:sanket.lawangare at gmail.com>> wrote:
>
>     Thank you for replying back Adam. Would let you if i have any
>     further doubts on it (I am pretty sure i will have many).
>
>     Sanket
>
>     On Tue, Feb 24, 2015 at 1:26 PM, Adam Young <ayoung at redhat.com
>     <mailto:ayoung at redhat.com>> wrote:
>
>         On 02/24/2015 01:53 PM, Sanket Lawangare wrote:
>>         Hello  Everyone,
>>
>>         My name is Sanket Lawangare. I am a graduate Student studying
>>         at The University of Texas, at San Antonio.For my Master’s
>>         Thesis I am working on the Identity component of OpenStack.
>>         My research is to investigate external authentication with
>>         Identity(keystone) using Kerberos.
>>
>>
>>         Based on reading Jammie lennox's Blogs on Kerberos
>>         implementation in OpenStack and my understanding of Kerberos
>>         I have come up with a figure explaining possible interaction
>>         of KDC with the OpenStack client, keystone and the OpenStack
>>         services(Nova, Cinder, Swift...).
>>
>>         These are the Blogs -
>>
>>         http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
>>
>>         http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/
>>
>>         I am trying to understand the working of Kerberos in OpenStack.
>>
>>
>>         Please click this link to view the figure:
>>         https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing
>>
>>
>>         P.S. - [The steps in this figure are self explanatory the
>>         basic understanding of Kerberos is expected]
>>
>>
>>         Based on the figure i had couple of questions:
>>
>>
>>         1.
>>
>>             Is Nova or other services registered with the KDC?
>>
>         Not yet.  Kerberos is only used for Keystone at the moment,
>         with work underway to make Horizon work with Keystone.  Since
>         many of the services only run in Eventlet, not in HTTPD,
>         Kerberos support is hard to support. Ideally, yes, we would do
>         Kerberos direct to Nova, and weither use the token binding
>         mechanism, or better yet, not even provide a token...but that
>         is more work.
>
>
>
>>
>>         2.
>>
>>             What does keystone do with Kerberos ticket/credentials?
>>             Does Keystone authenticates the users and gives them
>>             direct access to other services such as Nova, Swift etc..
>>
>>
>         THey are used for authentication, and then the Keystone server
>         uses the principal to resolve the username and user id.  The
>         rest of the data comes out of LDAP.
>
>
>>         3.
>>
>>             After receiving the Ticket from the KDC does keystone
>>             embed some kerberos credential information in the token?
>>
>         No, it is mapped to the Openstack userid and username
>
>>
>>         4.
>>
>>             What information does the service (e.g.Nova) see in the
>>             Ticket and the token (Does the token have some kerberos
>>             info or some customized info inside it?).
>>
>
>         No kerberos ticket goes to Nova.
>
>>
>>         If you could share your insights and guide me on this. I
>>         would be really appreciate it. Thank you all for your time.
>>
>>
>
>         Let me know if you have more questions.  Really let me know if
>         you want to help coding.
>
>
>>         Regards,
>>
>>         Sanket Lawangare
>>
>>
>>
>>         __________________________________________________________________________
>>         OpenStack Development Mailing List (not for usage questions)
>>         Unsubscribe:OpenStack-dev-request at lists.openstack.org?subject:unsubscribe  <mailto:OpenStack-dev-request at lists.openstack.org?subject:unsubscribe>
>>         http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>         __________________________________________________________________________
>         OpenStack Development Mailing List (not for usage questions)
>         Unsubscribe:
>         OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>         <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>         http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150302/48d9b883/attachment.html>


More information about the OpenStack-dev mailing list