Re: [openstack-dev] Kerberos in OpenStack
Posting response to the mailing list, as I suspect others have these questions. I understand that in the current proposed implementation only keystone runs on apache- httpd. * * *1. My question is that- is it possible to move Nova server on the apache-httpd server just like the way keystone server is running?? And if not then what are the technical challanges moving it?? * If these services had the mod_auth_kerb module they would be able validate the token. My Keystone work was based on a Web page where where someone did exactly this. I don't know what it would take to make it happend today, but it should be posible. Much of Nova is dealing with Eventlet and the monkeypatching,. Ideally, this code would be implemented in one place and then a single boolean at startup could say monkeypatch or no ; this is what Keystone does. Nova has more of a dependency on Eventlet than Keystone does, as Nova has to deal with reading messages from the message queue. THis is done using a dedicated greenthread, and I don;t know how this would look in an HTTPD setup. *2.Also, I was curious to know if you tried to add the keystone middleware to nova and the other services?? In this way Keystone can itself act as KDC.* Not sure what you mean here. Keystone already has middleware running in Nova. Keystone Data is more like a Kerberos PAC than a service ticket. Keystone tokens are not limited to endpoints, and even if they were, we need to pass a token from one endpoint to another for certain workflows. Thanks, Sanket On Wed, Feb 25, 2015 at 12:39 PM, Sanket Lawangare sanket.lawang...@gmail.com mailto:sanket.lawang...@gmail.com wrote: Thank you for replying back Adam. Would let you if i have any further doubts on it (I am pretty sure i will have many). Sanket On Tue, Feb 24, 2015 at 1:26 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 02/24/2015 01:53 PM, Sanket Lawangare wrote: Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio.For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos. Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). These are the Blogs - http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/ I am trying to understand the working of Kerberos in OpenStack. Please click this link to view the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected] Based on the figure i had couple of questions: 1. Is Nova or other services registered with the KDC? Not yet. Kerberos is only used for Keystone at the moment, with work underway to make Horizon work with Keystone. Since many of the services only run in Eventlet, not in HTTPD, Kerberos support is hard to support. Ideally, yes, we would do Kerberos direct to Nova, and weither use the token binding mechanism, or better yet, not even provide a token...but that is more work. 2. What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova, Swift etc.. THey are used for authentication, and then the Keystone server uses the principal to resolve the username and user id. The rest of the data comes out of LDAP. 3. After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token? No, it is mapped to the Openstack userid and username 4. What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?). No kerberos ticket goes to Nova. If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time. Let me know if you have more questions. Really let me know if you want to help coding. Regards, Sanket Lawangare
[openstack-dev] Kerberos in OpenStack
Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio. For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos. Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). These are the Blogs - http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/ I am trying to understand the working of Kerberos in OpenStack. Please click this link to view the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected] Based on the figure i had couple of questions: 1. Is Nova or other services registered with the KDC? 1. What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova, Swift etc.. 1. After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token? 1. What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?). If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time. Regards, Sanket Lawangare __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Kerberos in OpenStack
You may also get some information from how we set up Kerberos at CERN at http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html From my understanding, the only connection is between Keystone and KDC. There is a standard Keystone token issues based off the Kerberos ticket and the rest is the same as if a password had been supplied. Tim From: Sanket Lawangare [mailto:sanket.lawang...@gmail.com] Sent: 24 February 2015 19:53 To: openstack-dev@lists.openstack.org Subject: [openstack-dev] Kerberos in OpenStack Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio. For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos. Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). These are the Blogs - http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/ I am trying to understand the working of Kerberos in OpenStack. Please click this link to view the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected] Based on the figure i had couple of questions: 1. Is Nova or other services registered with the KDC? 2. What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova, Swift etc.. 3. After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token? 4. What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?). If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time. Regards, Sanket Lawangare __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Kerberos in OpenStack
On 02/24/2015 01:53 PM, Sanket Lawangare wrote: Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio.For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos. Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). These are the Blogs - http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/ I am trying to understand the working of Kerberos in OpenStack. Please click this link to view the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected] Based on the figure i had couple of questions: 1. Is Nova or other services registered with the KDC? Not yet. Kerberos is only used for Keystone at the moment, with work underway to make Horizon work with Keystone. Since many of the services only run in Eventlet, not in HTTPD, Kerberos support is hard to support. Ideally, yes, we would do Kerberos direct to Nova, and weither use the token binding mechanism, or better yet, not even provide a token...but that is more work. 2. What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova, Swift etc.. THey are used for authentication, and then the Keystone server uses the principal to resolve the username and user id. The rest of the data comes out of LDAP. 3. After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token? No, it is mapped to the Openstack userid and username 4. What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?). No kerberos ticket goes to Nova. If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time. Let me know if you have more questions. Really let me know if you want to help coding. Regards, Sanket Lawangare __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Kerberos in OpenStack
Thanks a lot for taking out time and replying back Tim. Will let you know if i have any further questions. On Tue, Feb 24, 2015 at 1:22 PM, Tim Bell tim.b...@cern.ch wrote: You may also get some information from how we set up Kerberos at CERN at http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html From my understanding, the only connection is between Keystone and KDC. There is a standard Keystone token issues based off the Kerberos ticket and the rest is the same as if a password had been supplied. Tim *From:* Sanket Lawangare [mailto:sanket.lawang...@gmail.com] *Sent:* 24 February 2015 19:53 *To:* openstack-dev@lists.openstack.org *Subject:* [openstack-dev] Kerberos in OpenStack Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio.* For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos.* Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). These are the Blogs - http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/ I am trying to understand the working of Kerberos in OpenStack. Please click this link to view the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected] Based on the figure i had couple of questions: 1. Is Nova or other services registered with the KDC? 2. What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova, Swift etc.. 3. After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token? 4. What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?). If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time. Regards, Sanket Lawangare __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Kerberos in OpenStack
I replied to almost exactly this email off-list and so thought i would copy my reply to -dev. - Original Message - From: Jamie Lennox jamielen...@redhat.com To: Sanket Lawangare sanket.lawang...@gmail.com Sent: Wednesday, February 25, 2015 6:39:14 AM Subject: Re: Kerberos in OpenStack - Original Message - From: Sanket Lawangare sanket.lawang...@gmail.com To: jamielen...@redhat.com Sent: Wednesday, February 25, 2015 5:43:38 AM Subject: Kerberos in OpenStack Hello Mr. Jamie Lennox, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio. For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos. I am working with ICS- Institute for Cyber Security at UTSA under Mr. Farhan Patwa. Hi Sanket, we are working quite hard on kerberos at the moment so it's nice to have you on board . Make sure you hang around in #openstack-keystone on Freenode, if i'm not around (I'm based in Sydney so Timezones clash) Adam Young (ayoung) is up to date on all this. Based on reading your Blogs and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, Keystone and the OpenStack services(Nova, Cinder, Swift...). I am trying to understand the working of Kerberos in OpenStack. Please click this link for viewing the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected] Based on the figure i had couple of questions: 1. Is Nova or other services registered with the KDC? No not at this time. OpenStack does all it's AuthN/AuthZ for non-keystone services via a token at this time we purely capture the POST /v3/auth/tokens route which issues a token with kerberos and use the REMOTE_USER as proof of AuthN rather than needing a user/pass. After this point OpenStack operates using a token as per normal. 1. What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova, Swift etc.. Related to the first question, the OpenStack user information and their roles is encoded into the token data which is then validated by auth_token middleware on each of the services. After the initial AuthN kerberos request we do not currently do any additional kerberos auth. 1. After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token? Keystone will set 'method' in the token field to reflect the method that was used to authenticate the token - however i can't remember if it sets the method to 'kerberos' or 'external' for kerberos auth. 1. What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?). No this information is completely hidden from the other services. If you could share your insights and guide me on the interaction between these components. I would be really appreciate it. Thank you for your time. So those answers are pretty short in that kerberos is really only used for that initial AuthN contact, after which keystone issues a token and everything else works without kerberos. there is an advantage to this in that you don't have to do the 401 Negotiate dance on every request but it does lack the security of kerberos (tokens are bearer tokens and can be intercepted and used). I think what you are looking for is the 'token binding' feature. This is actually one of the first things I worked on in keystone, and we were simply not ready for it at the time. There is the functionality in the tokens that make it so that a token can only be used in conjunction with another form of authentication and the expectation we had was that kerberos would be the main candidate, followed by SSL client certs. It means that if you used a valid token without also presenting the appropriate kerberos ticket authentication would fail. The reason that this never took off is due to the way service to service communication happens. When you ask nova to boot you a virtual machine it makes a number of calls to the other services, glance to get the image, cinder for a block store, neutron for a network connection etc. To do this it reuses the user token, so nova will forward the token you give it to each of those services - and so if you bind it to the kerberos ticket then the same feature that gives security essentially stops that sharing and OpenStack stops working. Now, there is an effort underway that when
