[openstack-dev] [TripleO] FreeIPA integration
Adam Young
ayoung at redhat.com
Wed Apr 6 02:06:38 UTC 2016
On 04/05/2016 08:02 AM, Hayes, Graham wrote:
> On 02/04/2016 22:33, Adam Young wrote:
>> I finally have enough understanding of what is going on with Tripleo to
>> reasonably discuss how to implement solutions for some of the main
>> security needs of a deployment.
>>
>>
>> FreeIPA is an identity management solution that can provide support for:
>>
>> 1. TLS on all network communications:
>> A. HTTPS for web services
>> B. TLS for the message bus
>> C. TLS for communication with the Database.
>> 2. Identity for all Actors in the system:
>> A. API services
>> B. Message producers and consumers
>> C. Database consumers
>> D. Keystone service users
>> 3. Secure DNS DNSSEC
>> 4. Federation Support
>> 5. SSH Access control to Hosts for both undercloud and overcloud
>> 6. SUDO management
>> 7. Single Sign On for Applications running in the overcloud.
>>
>>
>> The main pieces of FreeIPA are
>> 1. LDAP (the 389 Directory Server)
>> 2. Kerberos
>> 3. DNS (BIND)
>> 4. Certificate Authority (CA) server (Dogtag)
>> 5. WebUI/Web Service Management Interface (HTTPD)
>>
> <snip>
>
>>
>> There are a couple ongoing efforts that will tie in with this:
>>
>> 1. Designate should be able to use the DNS from FreeIPA. That was the
>> original implementation.
> Designate cannot use FreeIPA - we haven't had a driver for it since
> Kilo.
>
> There have been various efforts since to support FreeIPA, but it
> requires that it is the point of truth for DNS information, as does
> Designate.
>
> If FreeIPA supported the traditional Notify and Zone Transfer mechanisms
> then we would be fine, but unfortunately it does not.
>
> [1] Actually points out that the goal of FreeIPA's DNS integration
> "... is NOT to provide general-purpose DNS server. Features beyond
> easing FreeIPA deployment and maintenance are explicitly out of scope."
>
> 1 - http://www.freeipa.org/page/DNS#Goals
Lets table that for now. No reason they should not be able to
interoperate somehow.
>
>
>> 2. Juan Antonio Osorio has been working on TLS everywhere. The issue
>> thus far has been Certificate management. This provides a Dogtag server
>> for Certs.
>>
>> 3. Rob Crittenden has been working on auto-registration of virtual
>> machines with an Identity Provider upon launch. This gives that efforts
>> an IdM to use.
>>
>> 4. Keystone can make use of the Identity store for administrative users
>> in their own domain.
>>
>> 5. Many of the compliance audits have complained about cleartext
>> passwords in config files. This removes most of them. MySQL supports
>> X509 based authentication today, and there is Kerberos support in the
>> works, which should remove the last remaining cleartext Passwords.
>>
>> I mentioned Centralized SUDO and HBAC. These are both tools that may be
>> used by administrators if so desired on the install. I would recommend
>> that they be used, but there is no requirement to do so.
>>
>>
>>
>>
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list