Re: [openstack-dev] [openstack-ansible][keystone] Federation beyond Shibboleth

Wed, 19 Aug 2015 13:57:54 -0700 

On 08/19/2015 04:23 AM, Jesse Pretorius wrote:



On 12 August 2015 at 18:48, Adam Young <ayo...@redhat.com 
<mailto:ayo...@redhat.com>> wrote:



    The simplest one is Kerberos + SSSD;

    Kerberos provides Authentication.
    mod_lookup_identity uses SSSD to get Groups.  It turns LDAP into
    another  Federated identity, much simpler than the LDAP code in
    Keystone (I am responsible for that mess).

    We are working on automating this via Ansible on top of a
    RHEL/Centos 7 install to demo in Tokyo.

    I am not certain if all the pieces are in place yet for Debian
    based install.  Specifically, it needs an updated sssd-dbus package.

    We also have mod_mellon and Ipsilon working, as Jamie demo'ed at
    Pycon AU.


Sounds great!


Would you be prepared to put together some WIP reviews to add those to 
the Keystone role in openstack-ansible? Even if they're non-working 
sketches that we can work from and iterate on, that'd be great.


Our sample code is here:

https://github.com/jamielennox/rippowam



I wrote up a README for what we are doing:

https://github.com/admiyo/rippowam/blob/master/README.rst


The stuff you care about is here:

Setting up SSSD
https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/infopipe.yml


And 
https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/keystone-sssd.yml






Note that we're looking at implementing some changes to broaden the 
platform support too. We're moving some of the pieces into place for 
the liberty [1] release and I'll be putting my thoughts down on 
multi-platform host enablement [2] soon. Also, considering that it'd 
be easier to comprehend, consume and iterate the ansible roles if they 
were independent consumable units I've also proposed [3][4] to break 
them out into their own repositories. It'd be great if you could 
provide your input.


[1] https://blueprints.launchpad.net/openstack-ansible/+spec/liberty

[2] 
https://blueprints.launchpad.net/openstack-ansible/+spec/multi-platform-host
[3] 
https://blueprints.launchpad.net/openstack-ansible/+spec/independent-role-repositories

[4] https://review.openstack.org/213779



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to