On 02/24/2015 01:53 PM, Sanket Lawangare wrote:
Hello Everyone,
My name is Sanket Lawangare. I am a graduate Student studying at The
University of Texas, at San Antonio.For my Master’s Thesis I am
working on the Identity component of OpenStack. My research is to
investigate external authentication with Identity(keystone) using
Kerberos.
Based on reading Jammie lennox's Blogs on Kerberos implementation in
OpenStack and my understanding of Kerberos I have come up with a
figure explaining possible interaction of KDC with the OpenStack
client, keystone and the OpenStack services(Nova, Cinder, Swift...).
These are the Blogs -
http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/
http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/
I am trying to understand the working of Kerberos in OpenStack.
Please click this link to view the figure:
https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing
P.S. - [The steps in this figure are self explanatory the basic
understanding of Kerberos is expected]
Based on the figure i had couple of questions:
1.
Is Nova or other services registered with the KDC?
Not yet. Kerberos is only used for Keystone at the moment, with work
underway to make Horizon work with Keystone. Since many of the services
only run in Eventlet, not in HTTPD, Kerberos support is hard to
support. Ideally, yes, we would do Kerberos direct to Nova, and weither
use the token binding mechanism, or better yet, not even provide a
token...but that is more work.
2.
What does keystone do with Kerberos ticket/credentials? Does
Keystone authenticates the users and gives them direct access to
other services such as Nova, Swift etc..
THey are used for authentication, and then the Keystone server uses the
principal to resolve the username and user id. The rest of the data
comes out of LDAP.
3.
After receiving the Ticket from the KDC does keystone embed some
kerberos credential information in the token?
No, it is mapped to the Openstack userid and username
4.
What information does the service (e.g.Nova) see in the Ticket and
the token (Does the token have some kerberos info or some
customized info inside it?).
No kerberos ticket goes to Nova.
If you could share your insights and guide me on this. I would be
really appreciate it. Thank you all for your time.
Let me know if you have more questions. Really let me know if you want
to help coding.
Regards,
Sanket Lawangare
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
