[Openstack] AuthN/AuthZ
Adam Young
ayoung at redhat.com
Mon May 20 14:22:51 UTC 2013
On 05/16/2013 11:29 AM, Aaron Knister wrote:
> Thanks Adam. I was able to get that far after a *lot* of headache.
> AD's typical schema doesn't map to what OpenStack is expecting,
> particularly as far as the domain_id attribute is concerned.
Sorry about that. I am not too fond of our Domain_id thing either, and
working to rectify:
>
>
> When running Keystone under Apache HTTPD how does one use horizon?
No change. You can report ports other that 5000/35357 for Keystone's
service catalog if you want to have Keystone serve on 443. Or, you can
have apache listen on the usual keystone ports. You will want Keystone
on a separate machine from Horizon.
>
>
> On Wed, May 15, 2013 at 3:57 PM, Adam Young <ayoung at redhat.com
> <mailto:ayoung at redhat.com>> wrote:
>
> Run Keystone in Apache HTPD, use Kerberos and the LDAP backend to
> talk to AD.
>
>
>
> On 05/14/2013 06:11 PM, Aaron Knister wrote:
>> *bump*
>>
>> Here's the tl;dr version:
>>
>> - How have other folks handled integration of OpenStack with
>> existing authN/authZ infrastructures? I'm particularly interested
>> in the automatic mapping of existing LDAP groups to roles/tenants
>> within openstack.
>> - Are there plans to add support for the auth plugins to the
>> *client modules and CLI tools going forward? I'd be interested in
>> contributing this if it's on the roadmap and hasn't been done yet.
>> - Are there plans to add support for auth plugins/external au th
>> to Horizon? As above, I'm interested in implementing this if
>> there's interest.
>> - I see vague references in the documentation/*client code to
>> using certificates for authentication (without the need for httpd
>> external authentication) which would also eliminate the
>> credentials-in-environment-
>> variables issue. Is using PKI for authentication going to be
>> supported? If so what's the status?
>>
>> Am I perhaps posting this to the wrong list? I didn't get any
>> replies from my original post.
>>
>> Thanks!
>>
>> -Aaron
>>
>>
>>
>> On Tue, May 7, 2013 at 1:52 PM, Aaron Knister
>> <aaron.knister at gmail.com <mailto:aaron.knister at gmail.com>> wrote:
>>
>> Hi Everyone,
>>
>> I'm looking for feedback and input about what other sites are
>> doing for authentication and authorization with OpenStack.
>>
>> First, some background:
>>
>> I'm currently evaluating OpenStack (Grizzly), specifically
>> working on integration with Active Directory. I'm unable to
>> modify the schema to allow groupOfNames as a SUP of
>> organizationalRole so I've implemented a workaround using
>> openldap and several of its overlays backends to sit in front
>> of AD. That all works just fine, however I really would like
>> to be able to map AD groups to roles/tenants. I suspect I'll
>> end up writing some code to do this-- shouldn't be too hard.
>>
>> Also on the subject of Active Directory, it's a show stopper
>> for me to put un-encrypted AD credentials in environment
>> variables to then pass to the various openstack CLI progs. My
>> ideal workaround would be to use Kerberos authentication
>> which I actually have working. I setup keystone to run under
>> apache based on this documentation with some tweaks here and
>> there:
>>
>> http://docs.openstack.org/developer/keystone/external-auth.html
>>
>> I created an openstack client auth plugin (based on the VOMS
>> auth plugin) using requests_kerberos and this works well with
>> the nova client, however none of the other client tools,
>> including horizon, seem to support authentication plugins or
>> the external authentication concept in general.
>>
>> So, here are my questions:
>>
>> - How have other folks handled integration of OpenStack with
>> existing authN/authZ infrastructures? I'm particularly
>> interested in the automatic mapping of existing LDAP groups
>> to roles/tenants within openstack.
>> - Are there plans to add support for the auth plugins to the
>> *client modules and CLI tools going forward? I'd be
>> interested in contributing this if it's on the roadmap and
>> hasn't been done yet.
>> - Are there plans to add support for auth plugins/external au
>> th to Horizon? As above, I'm interested in implementing this
>> if there's interest.
>> - I see vague references in the documentation/*client code to
>> using certificates for authentication (without the need for
>> httpd external authentication) which would also eliminate the
>> credentials-in-environment-variables issue. Is using PKI for
>> authentication going to be supported? If so what's the status?
>>
>> Thanks in advance!
>>
>> -Aaron
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list:https://launchpad.net/~openstack <https://launchpad.net/%7Eopenstack>
>> Post to :openstack at lists.launchpad.net <mailto:openstack at lists.launchpad.net>
>> Unsubscribe :https://launchpad.net/~openstack <https://launchpad.net/%7Eopenstack>
>> More help :https://help.launchpad.net/ListHelp
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> <https://launchpad.net/%7Eopenstack>
> Post to : openstack at lists.launchpad.net
> <mailto:openstack at lists.launchpad.net>
> Unsubscribe : https://launchpad.net/~openstack
> <https://launchpad.net/%7Eopenstack>
> More help : https://help.launchpad.net/ListHelp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130520/6fadd19b/attachment.html>
More information about the Openstack
mailing list