settingsLogin | Registersettings

[openstack-dev] [keystone][puppet] Federation using ipsilon

0 votes

I've done a first pass of setting up a puppet module to configure
Keystone to use ipsilon for federation, using
https://github.com/richm/puppet-apache-auth-mods, and a version of
ipsilon-client-install with patches
https://fedorahosted.org/ipsilon/ticket/141 and
https://fedorahosted.org/ipsilon/ticket/142, and a heavily modified
version of the ipa/rdo federation setup scripts -
https://github.com/richm/rdo-vm-factory.

I would like some feedback from the Keystone and puppet folks about this
approach.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Jun 12, 2015 in openstack-dev by Rich_Megginson (3,020 points)   2 5

3 Responses

0 votes

On 06/12/2015 04:53 PM, Rich Megginson wrote:
I've done a first pass of setting up a puppet module to configure
Keystone to use ipsilon for federation, using
https://github.com/richm/puppet-apache-auth-mods, and a version of
ipsilon-client-install with patches
https://fedorahosted.org/ipsilon/ticket/141 and
https://fedorahosted.org/ipsilon/ticket/142, and a heavily modified
version of the ipa/rdo federation setup scripts -
https://github.com/richm/rdo-vm-factory.

I would like some feedback from the Keystone and puppet folks about
this approach.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

I take it this is not WebSSO yet, but only Federation.

Around here...

https://github.com/richm/puppet-apache-auth-mods/blob/master/manifests/keystone_ipsilon.pp#L64

You would need to have the trusted dashboard, etc.

But I think that is what you intend. However, without an ECP setup, we
really have no way to test it.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jun 13, 2015 by Adam_Young (19,940 points)   2 7 9
0 votes

On 06/12/2015 07:30 PM, Adam Young wrote:
On 06/12/2015 04:53 PM, Rich Megginson wrote:

I've done a first pass of setting up a puppet module to configure
Keystone to use ipsilon for federation, using
https://github.com/richm/puppet-apache-auth-mods, and a version of
ipsilon-client-install with patches
https://fedorahosted.org/ipsilon/ticket/141 and
https://fedorahosted.org/ipsilon/ticket/142, and a heavily modified
version of the ipa/rdo federation setup scripts -
https://github.com/richm/rdo-vm-factory.

I would like some feedback from the Keystone and puppet folks about
this approach.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

I take it this is not WebSSO yet, but only Federation.

Around here...

https://github.com/richm/puppet-apache-auth-mods/blob/master/manifests/keystone_ipsilon.pp#L64

You would need to have the trusted dashboard, etc.

Right. In order to do websso, there is some additional setup that needs
to be done in the apache conf for the keystone wsgi virtual hosts (which
is in the rdo-federation-setup script). There is also some additional
configuration to do to Horizon to enable federated auth and/or websso.

But I think that is what you intend.

Right. What I've done so far is only the first step.

However, without an ECP setup, we really have no way to test it.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jun 13, 2015 by Rich_Megginson (3,020 points)   2 5
0 votes

On 06/13/2015 01:37 PM, Rich Megginson wrote:
On 06/12/2015 07:30 PM, Adam Young wrote:

On 06/12/2015 04:53 PM, Rich Megginson wrote:

I've done a first pass of setting up a puppet module to configure
Keystone to use ipsilon for federation, using
https://github.com/richm/puppet-apache-auth-mods, and a version of
ipsilon-client-install with patches
https://fedorahosted.org/ipsilon/ticket/141 and
https://fedorahosted.org/ipsilon/ticket/142, and a heavily modified
version of the ipa/rdo federation setup scripts -
https://github.com/richm/rdo-vm-factory.

I would like some feedback from the Keystone and puppet folks about
this approach.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

I take it this is not WebSSO yet, but only Federation.

Around here...

https://github.com/richm/puppet-apache-auth-mods/blob/master/manifests/keystone_ipsilon.pp#L64

You would need to have the trusted dashboard, etc.

Right. In order to do websso, there is some additional setup that
needs to be done in the apache conf for the keystone wsgi virtual
hosts (which is in the rdo-federation-setup script). There is also
some additional configuration to do to Horizon to enable federated
auth and/or websso.

But I think that is what you intend.

Right. What I've done so far is only the first step.
It looks good at first blush. I'm trying to get to the point where I
can recreate RDO factory, but on a machine I launch in the Cloud Lab.
I've gotten it as far as allocating a floating IP address:

https://github.com/admiyo/ossipee/

Once I can get through the RDO Factory steps, I'll give it a live test.

However, without an ECP setup, we really have no way to test it.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jun 15, 2015 by Adam_Young (19,940 points)   2 7 9
...