[Openstack] AuthN/AuthZ

Aaron Knister aaron.knister at gmail.com
Tue May 7 17:52:06 UTC 2013 

Hi Everyone,

I'm looking for feedback and input about what other sites are doing for
authentication and authorization with OpenStack.

First, some background:

I'm currently evaluating OpenStack (Grizzly), specifically working on
integration with Active Directory. I'm unable to modify the schema to allow
groupOfNames as a SUP of organizationalRole so I've implemented a
workaround using openldap and several of its overlays backends to sit in
front of AD. That all works just fine, however I really would like to be
able to map AD groups to roles/tenants. I suspect I'll end up writing some
code to do this-- shouldn't be too hard.

Also on the subject of Active Directory, it's a show stopper for me to put
un-encrypted AD credentials in environment variables to then pass to the
various openstack CLI progs. My ideal workaround would be to use Kerberos
authentication which I actually have working. I setup keystone to run under
apache based on this documentation with some tweaks here and there:

http://docs.openstack.org/developer/keystone/external-auth.html

I created an openstack client auth plugin (based on the VOMS auth plugin)
using requests_kerberos and this works well with the nova client, however
none of the other client tools, including horizon, seem to support
authentication plugins or the external authentication concept in general.

So, here are my questions:

- How have other folks handled integration of OpenStack with existing
authN/authZ infrastructures? I'm particularly interested in the automatic
mapping of existing LDAP groups to roles/tenants within openstack.
- Are there plans to add support for the auth plugins to the *client
modules and CLI tools going forward? I'd be interested in contributing this
if it's on the roadmap and hasn't been done yet.
- Are there plans to add support for auth plugins/external au th to
Horizon? As above, I'm interested in implementing this if there's interest.
- I see vague references in the documentation/*client code to using
certificates for authentication (without the need for httpd external
authentication) which would also eliminate the
credentials-in-environment-variables issue. Is using PKI for authentication
going to be supported? If so what's the status?

Thanks in advance!

-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130507/1d7fae17/attachment.html>

More information about the Openstack mailing list