[Openstack] AuthN/AuthZ

Aaron Knister aaron.knister at gmail.com
Thu May 16 15:29:29 UTC 2013 

Thanks Adam. I was able to get that far after a *lot* of headache. AD's
typical schema doesn't map to what OpenStack is expecting, particularly as
far as the domain_id attribute is concerned.


When running Keystone under Apache HTTPD how does one use horizon?


On Wed, May 15, 2013 at 3:57 PM, Adam Young <ayoung at redhat.com> wrote:

>  Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to talk
> to AD.
>
>
>
> On 05/14/2013 06:11 PM, Aaron Knister wrote:
>
>  *bump*
>
>  Here's the tl;dr version:
>
> - How have other folks handled integration of OpenStack with existing
> authN/authZ infrastructures? I'm particularly interested in the automatic
> mapping of existing LDAP groups to roles/tenants within openstack.
> - Are there plans to add support for the auth plugins to the *client
> modules and CLI tools going forward? I'd be interested in contributing this
> if it's on the roadmap and hasn't been done yet.
> - Are there plans to add support for auth plugins/external au th to
> Horizon? As above, I'm interested in implementing this if there's interest.
>  - I see vague references in the documentation/*client code to using
> certificates for authentication (without the need for httpd external
> authentication) which would also eliminate the credentials-in-environment-
> variables issue. Is using PKI for authentication going to be supported? If
> so what's the status?
>
>  Am I perhaps posting this to the wrong list? I didn't get any replies
> from my original post.
>
>  Thanks!
>
> -Aaron
>
>
>
> On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knister at gmail.com>wrote:
>
>>     Hi Everyone,
>>
>>  I'm looking for feedback and input about what other sites are doing for
>> authentication and authorization with OpenStack.
>>
>>  First, some background:
>>
>>  I'm currently evaluating OpenStack (Grizzly), specifically working on
>> integration with Active Directory. I'm unable to modify the schema to allow
>> groupOfNames as a SUP of organizationalRole so I've implemented a
>> workaround using openldap and several of its overlays backends to sit in
>> front of AD. That all works just fine, however I really would like to be
>> able to map AD groups to roles/tenants. I suspect I'll end up writing some
>> code to do this-- shouldn't be too hard.
>>
>>  Also on the subject of Active Directory, it's a show stopper for me to
>> put un-encrypted AD credentials in environment variables to then pass to
>> the various openstack CLI progs. My ideal workaround would be to use
>> Kerberos authentication which I actually have working. I setup keystone to
>> run under apache based on this documentation with some tweaks here and
>> there:
>>
>> http://docs.openstack.org/developer/keystone/external-auth.html
>>
>>  I created an openstack client auth plugin (based on the VOMS auth
>> plugin) using requests_kerberos and this works well with the nova client,
>> however none of the other client tools, including horizon, seem to support
>> authentication plugins or the external authentication concept in general.
>>
>>  So, here are my questions:
>>
>>  - How have other folks handled integration of OpenStack with existing
>> authN/authZ infrastructures? I'm particularly interested in the automatic
>> mapping of existing LDAP groups to roles/tenants within openstack.
>>  - Are there plans to add support for the auth plugins to the *client
>> modules and CLI tools going forward? I'd be interested in contributing this
>> if it's on the roadmap and hasn't been done yet.
>>  - Are there plans to add support for auth plugins/external au th to
>> Horizon? As above, I'm interested in implementing this if there's interest.
>>  - I see vague references in the documentation/*client code to using
>> certificates for authentication (without the need for httpd external
>> authentication) which would also eliminate the
>> credentials-in-environment-variables issue. Is using PKI for authentication
>> going to be supported? If so what's the status?
>>
>>  Thanks in advance!
>>
>> -Aaron
>>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130516/ea183fa1/attachment.html>

More information about the Openstack mailing list