Re: [openstack-dev] Kerberos in OpenStack

[Adam Young]

Posting response to the mailing list, as I suspect others have these 
questions.



 I understand that in the current proposed implementation only 
keystone runs on apache- httpd.
*
*
*1.  My question is that- is it possible to move Nova server on the 
apache-httpd server just like the way keystone server is running?? And 
if not then what are the technical challanges moving it?? * If these 
services had the mod_auth_kerb module they would be able validate the 
token.

My Keystone work was based on a Web page where where someone did exactly 
this.  I don't know what it would take to make it happend today, but it 
should be posible.

Much of Nova is dealing with Eventlet and the monkeypatching,. Ideally, 
this code would be implemented in one place and then a single boolean at 
startup could say "monkeypatch"  or "no" ;  this is what Keystone does.

Nova has more of a dependency on Eventlet than Keystone does, as Nova 
has to deal with reading messages from the message queue.  THis is done 
using a dedicated greenthread, and I don;t know how this would look in 
an HTTPD setup.


*2.Also, I was curious to know if you tried to add the keystone 
middleware to nova and the other services?? In this way Keystone can 
itself act as KDC.*

Not sure what you mean here.  Keystone already has middleware running in 
Nova.  Keystone Data is more like a Kerberos  PAC than a service 
ticket.  Keystone tokens are not limited to endpoints, and even if they 
were, we need to pass a token from one endpoint to another for certain 
workflows.


Thanks,
Sanket

On Wed, Feb 25, 2015 at 12:39 PM, Sanket Lawangare 
<sanket.lawang...@gmail.com <mailto:sanket.lawang...@gmail.com>> wrote:

    Thank you for replying back Adam. Would let you if i have any
    further doubts on it (I am pretty sure i will have many).

    Sanket

    On Tue, Feb 24, 2015 at 1:26 PM, Adam Young <ayo...@redhat.com
    <mailto:ayo...@redhat.com>> wrote:

        On 02/24/2015 01:53 PM, Sanket Lawangare wrote:
        Hello  Everyone,

        My name is Sanket Lawangare. I am a graduate Student studying
        at The University of Texas, at San Antonio.For my Master’s
        Thesis I am working on the Identity component of OpenStack.
        My research is to investigate external authentication with
        Identity(keystone) using Kerberos.


        Based on reading Jammie lennox's Blogs on Kerberos
        implementation in OpenStack and my understanding of Kerberos
        I have come up with a figure explaining possible interaction
        of KDC with the OpenStack client, keystone and the OpenStack
        services(Nova, Cinder, Swift...).

        These are the Blogs -

        
http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/

        http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/

        I am trying to understand the working of Kerberos in OpenStack.


        Please click this link to view the figure:
        
https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing


        P.S. - [The steps in this figure are self explanatory the
        basic understanding of Kerberos is expected]


        Based on the figure i had couple of questions:


        1.

            Is Nova or other services registered with the KDC?

        Not yet.  Kerberos is only used for Keystone at the moment,
        with work underway to make Horizon work with Keystone.  Since
        many of the services only run in Eventlet, not in HTTPD,
        Kerberos support is hard to support. Ideally, yes, we would do
        Kerberos direct to Nova, and weither use the token binding
        mechanism, or better yet, not even provide a token...but that
        is more work.




        2.

            What does keystone do with Kerberos ticket/credentials?
            Does Keystone authenticates the users and gives them
            direct access to other services such as Nova, Swift etc..


        THey are used for authentication, and then the Keystone server
        uses the principal to resolve the username and user id.  The
        rest of the data comes out of LDAP.


        3.

            After receiving the Ticket from the KDC does keystone
            embed some kerberos credential information in the token?

        No, it is mapped to the Openstack userid and username


        4.

            What information does the service (e.g.Nova) see in the
            Ticket and the token (Does the token have some kerberos
            info or some customized info inside it?).


        No kerberos ticket goes to Nova.


        If you could share your insights and guide me on this. I
        would be really appreciate it. Thank you all for your time.



        Let me know if you have more questions.  Really let me know if
        you want to help coding.


        Regards,

        Sanket Lawangare



        
__________________________________________________________________________
        OpenStack Development Mailing List (not for usage questions)
        Unsubscribe:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe  
<mailto:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


        
__________________________________________________________________________
        OpenStack Development Mailing List (not for usage questions)
        Unsubscribe:
        openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
        <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev