settingsLogin | Registersettings

Re: [openstack-dev] Kerberization (and PKI-rization) of Horizon

0 votes

On 04/19/2015 06:05 PM, Diogenes S. Jesus wrote:

Hi man.

I've seen your thread
http://lists.openstack.org/pipermail/openstack-dev/2014-June/036733.html
on OpenStack mailing list regarding using Kerberos on Horizon.

I've been pulling my hair around this topic, however I'm trying to
authenticate using X.509.

I've googled around and found only topics related to keystone external
auth - but that doesn't really solve the problem, because horizon is
the one handling the request.

If you've reached good level on this topic or can point out to some
third-party solution I would be glad.

Diogenes,

Thanks for asking this. It is a question that has come up a few times,
and should be addressed.

I think the right approach is to use Federation, in the same way that I
protoyped here:

http://adam.younglogic.com/2015/04/horizon-websso-sssd/

The short of it is that you would use the Mapped plugin for the 'X509'
protocol instead of Kerberos (maybe clientcert is a better name?) and
Have a section in your httpd section for Keystone that has (among other
settings)

||||
Require valid-user
SSLRequireSSL
|SSLVerifyClient require
|

You would then provide values in the mapping that use the SSL Variables,
such as SSLCLIENTSDN instead of REMOTEUSER

For the user database, we have support coming in Kilo for mapping to an
existing user, so you should be able to work with some version of the
LDAP backend for that, but I would suggest you look at the SSSD approach
for LDAP integration instead, as it will be usable both for Keystone and
for the VMs running managed by Nova (both Undercloud AND cloud
Authentication)

I haven't prototyped Client Cert authentication yet, unfortunately. I
would love to know if it does work, and would be willing to help work
through the gotcha's.

Thanks!

--


Diogenes S. de Jesus


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Apr 20, 2015 in openstack-dev by Adam_Young (19,940 points)   2 7 12
...