On 10/09/2013 08:43 PM, Fox, Kevin M wrote:
Thanks for the docs. It looks like I got through all of that already, its the
authentication module part that is throwing me.
I managed to manually get a token by putting mod_krb5 on <Location
/keystone/main/v2.0/tokens> and using curl against it, giving curl a
username/password.
If I try and give that generated token back though its failing because krb5
wants a username and password.
THat is not right. krb5 should use Negotiate, not basic auth, and you
should not need UID/PW in order to get a token
I guess I need one endpoint url to take in a kerb5 username/password and give
me a token.
No, a krb service ticket, not password
another url to validate tokens I guess. Maybe that's what the split between
main and admin is for though?
Validation probably should not be done via Kerberos, unless you have a
way to automatically update the service tickets for Nova etc. There are
mechanisms for doing that in the latest version of the GSSAPI, but I
would not expect it to be in the current RHEL6 or the latest LTS of
Ubuntu yet. So the validate calls need to go to an URL not protected
via Kerberos.
And none of the clients seem to pass a basic auth username/password, so I'd
have to modify all of those too? I think its a middleware thing though, so I
might be able to tweak them all at once?
Correct. I am working on a patch for Basic-Auth in Icehouse, but it
won't be in Havana.
Thanks,
Kevin
________________________________________
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [mark.m.mil...@hp.com]
Sent: Wednesday, October 09, 2013 5:17 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
Hi Kevin,
It has been awhile, but here are some notes I took.
Regards,
Mark Miller
---------------------------------
Keystone Apache2 frontend Installation and Configuration
Instructions below are based off of documentation/examples from URL
https://keystone-voms.readthedocs.org/en/latest/requirements.html
Install Apache2 WSGI with mod_ssl enabled. To do so, install the packages, and
enable the relevant modules:
sudo apt-get install apache2 libapache2-mod-wsgi
sudo a2enmod ssl
sudo ufw disable #Note: not sure if need to disable firewall
Then configure your Apache server to use CA certificates. If you have some installed in
the default location, enable the default-ssl site (a2ensite default-ssl) and modify its
configuration file (normally in /etc/apache2/sites-enabled/default-ssl). If not, create
configuration file "/etc/apache2/sites-enabled/keystone" for your keystone
installation.
Note: I created file "/etc/apache2/sites-enabled/keystone" shown below.
Example:
WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10
Listen 5000
<VirtualHost _default_:5000>
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache.cert
SSLCertificateKeyFile /etc/ssl/private/apache.key
SSLCACertificatePath /etc/ssl/certs
SSLCARevocationPath /etc/ssl/certs
SSLVerifyClient optional
SSLVerifyDepth 10
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLOptions +StdEnvVars +ExportCertData
WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main
WSGIProcessGroup keystone
</VirtualHost>
Listen 35357
<VirtualHost _default_:35357>
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache.cert
SSLCertificateKeyFile /etc/ssl/private/apache.key
SSLCACertificatePath /etc/ssl/certs
SSLCARevocationPath /etc/ssl/certs
SSLVerifyClient optional
SSLVerifyDepth 10
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLOptions +StdEnvVars +ExportCertData
WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin
WSGIProcessGroup keystone
</VirtualHost>
Note1: By changing settings in this file you can turn on and off the
Apache2-SSL frontend to Keystone (variable SSL_Engine).
Note2: The "[ssl]" section of file "keystone.conf" needs to match this file in
that if SSL is turned on in one of them, then it needs to be turned on in the other.
To run keystone as a WSGI app, copy file "keystone.py" to the correct location
and create links to it.
sudo mkdir -p /usr/lib/cgi-bin/keystone
sudo cp /<path>/keystone-2013.2.b2/httpd/keystone.py
/usr/lib/cgi-bin/keystone/keystone.py
sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/main
sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/admin
If the keystone service is running, shut it down. The Apache2 service will now start up
as many instances of keystone as are specified on the first line of file
"/etc/apache2/sites-enabled/keystone".
sudo service keystone stop
Adjust the "keystone.py" file to point to your keystone configuration file "if" it is not
in the default location (i.e. "/etc/keystone/keystone.conf").
Note: I did not make any changes to file keystone.py.
Add variable OPENSSL_ALLOW_PROXY_CERTS to your Apache2 environment file
"/etc/apache2/ envvars" so that X.509 proxy certificates are accepted by
OpenSSL.
export OPENSSL_ALLOW_PROXY_CERTS=1
If you don't have server certificates for your Apache2 server, generate your
own self-signed certificates following instructions from URL:
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
/etc/ssl/private/apache.key -out /etc/ssl/certs/apache.cert
When prompted, use the name of your server for the common name.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Corvallis
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hewlett-Packard
Organizational Unit Name (eg, section) []:CloudOS
Common Name (e.g. server FQDN or YOUR name) []:havanatest
Email Address []:mark.m.mil...@hp.com
Add the server name to your "/etc/hosts" file.
127.0.1.1 havanatest
Add the full IP address and server name to your REST client computer's
"/etc/hosts" file. The name in the REST client URL must match the name of the
server/common-name found in the certificate.
15.253.57.66 havanatest
I ran into a problem with the Apache2 server startup because it was not able to reliably
determine my test server's fully qualified domain name. Following instructions from the
following URL allowed me to bypass this issue by adding the server name to file
"/etc/apache2/httpd.conf".
http://aslamnajeebdeen.com/blog/how-to-fix-apache-could-not-reliably-determine-the-servers-fully-qualified-domain-name-using-127011-for-servername-error-on-ubuntu
Example:
servername havanatest
Finally, restart the Apache2 service and check to see that apache2 and keystone
are running.
sudo service apache2 restart
ps -ef | grep apache2
root 4463 1 1 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 4464 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
keystone 4468 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
keystone 4469 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
keystone 4470 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 4471 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 4472 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
root 4564 2483 0 10:41 pts/2 00:00:00 grep --color=auto apache2
ps -ef | grep keystone
keystone 4468 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
keystone 4469 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
keystone 4470 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start
root 4566 2483 0 10:42 pts/2 00:00:00 grep --color=auto keystone
With the above configuration and assuming that the Keystone host is
"havanatest", the Keystone endpoint URLs will be as follow:
* https:// havanatest:5000/v3
* https:// havanatest:35357/v3
-----Original Message-----
From: Fox, Kevin M [mailto:kevin....@pnnl.gov]
Sent: Wednesday, October 09, 2013 4:59 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
I've just started playing around with Keystone under Apache. I have
managed to get it embedded now and all services talking to it.
Now, I'm trying to get it to do apache authentication. The documentation
states that it should honor REMOTE_USER if its present.
The default wsgi-keystone.conf has this in it:
<Location "/keystone">
NSSRequireSSL
Authtype none
</Location>
Which Locations do you put Apache auth plugins on? Putting it on all of
/keystone seems wrong. I tried putting it only on <Location
"/keystone/main/v2.0/tokens"> and that didn't work either...
Looking at the token api, it doesn't look like it does basic auth at all,
expecting
the username/password to be passed through a json document? So perhaps
what I am trying to do will never work? Do I have to set some flag to get
python-keystoneclient/Dashboard to pass the username/password as
basicauth instead of in a json form?
Thanks,
Kevin
________________________________________
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
[mark.m.mil...@hp.com]
Sent: Monday, August 12, 2013 4:17 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
Progress: Got Keystone working under Apache2 with HTTP based on the
following 2 URLs . HTTPS is the next.
https://keystone-voms.readthedocs.org/en/latest/requirements.html
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-
certificate-on-apache-for-ubuntu-12-04
Mark
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Monday, August 12, 2013 3:10 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
Looks like I may be ahead of the game. It doesn't look like this blueprint has
been started yet. Am I correct?
https://blueprints.launchpad.net/devstack/+spec/devstack-setup-apache-
keystone
A very valuable feature of Keystone is to configure it to leverage apache as
its front end. As a means of demonstrating how this works, and to facilitate
automated testing of this configuration in the future, support to devstack will
be added to enable it to optionally install and configure keystone using
apache as it front end. The design approach used will be that described in the
keystone docs:
https://github.com/openstack/keystone/blob/master/doc/source/apache-
httpd.rst
Thanks,
Mark
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Monday, August 12, 2013 1:45 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
The commands/libraries do not exist for Ubuntu, Keystone no longer starts
up, directories between the sets of documents do not match, ...
From: Dolph Mathews [mailto:dolph.math...@gmail.com]
Sent: Monday, August 12, 2013 1:41 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
What problem(s) are you running into when following the above
documentation / examples?
On Mon, Aug 12, 2013 at 3:32 PM, Miller, Mark M (EB SW Cloud - R&D -
Corvallis) <mark.m.mil...@hp.com<mailto:mark.m.mil...@hp.com>> wrote:
Hello,
I am looking for documentation on how to install/configure Apache2 as the
Keystone front end for "Ubuntu 12.04". I have found various documentation
snippets for a variety of applications and operating systems, but nothing for
Ubuntu. Any pointers would greatly be appreciated. I have been trying to
piece the installation/configuration from the following URLs but have yet to
be successful.
http://docs.openstack.org/developer/keystone/apache-
httpd.html#keystone-configuration
https://keystone-voms.readthedocs.org/en/latest/requirements.html
https://github.com/enovance/keystone-wsgi-
apache/blob/master/provision.sh
http://adam.younglogic.com/2012/04/keystone-httpd/
Regards,
Mark
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org<mailto:OpenStack-
d...@lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
-Dolph
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev