On 02/24/2015 01:53 PM, Sanket Lawangare wrote:
Hello  Everyone,

My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio.For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos.


Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...).

These are the Blogs -

http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/

http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/

I am trying to understand the working of Kerberos in OpenStack.


Please click this link to view the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing


P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected]


Based on the figure i had couple of questions:


1.

    Is Nova or other services registered with the KDC?

Not yet. Kerberos is only used for Keystone at the moment, with work underway to make Horizon work with Keystone. Since many of the services only run in Eventlet, not in HTTPD, Kerberos support is hard to support. Ideally, yes, we would do Kerberos direct to Nova, and weither use the token binding mechanism, or better yet, not even provide a token...but that is more work.




2.

    What does keystone do with Kerberos ticket/credentials? Does
    Keystone authenticates the users and gives them direct access to
    other services such as Nova, Swift etc..


THey are used for authentication, and then the Keystone server uses the principal to resolve the username and user id. The rest of the data comes out of LDAP.


3.

    After receiving the Ticket from the KDC does keystone embed some
    kerberos credential information in the token?

No, it is mapped to the Openstack userid and username


4.

    What information does the service (e.g.Nova) see in the Ticket and
    the token (Does the token have some kerberos info or some
    customized info inside it?).


No kerberos ticket goes to Nova.


If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time.



Let me know if you have more questions. Really let me know if you want to help coding.


Regards,

Sanket Lawangare



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to