settingsLogin | Registersettings

[openstack-dev] [openstack-ansible][keystone] Federation beyond Shibboleth

0 votes

Hi everyone,

Yesterday we released implementing Keystone as a Federated Service Provider
as part of the openstack-ansible deployment tooling [1].

This is a starting implementation which was purposefully scoped to only use
Shibboleth and only support SAML2. The scope was limited due to the
complexity of getting it working in the first place, but also as this was
seen to be the use-case which would give the most value.

The implementation, however, was done in a manner which we believe is
reasonably extendable to accommodate other protocols including OpenID,
Kerberos, etc. It should also be reasonably easy to develop the Mellon SAML
implementation instead of the Shibboleth module, although I that would
probably be slightly more complex. Our spec [2] has already covered these
extensions, so all we'd need to do is define blueprints to cover them and
target them at specific milestones.

We'd like to ask whether others would be interested in diving in to
implement the additional protocols, to implement the alternative
modauthmellon and also to apply other improvements as we roll on towards
the target of releasing liberty.

We're happy to work along side anyone who's not familiar with
openstack-ansible, or even ansible, to setup a test environment (this can
be done in about an hour) and to prepare a patch for review.

If you have any questions or comments, please feel free to contact me via
email or on IRC.

Best regards,

Jesse
IRC: odyssey4me

[1]
http://lists.openstack.org/pipermail/openstack-dev/2015-August/071748.html
[2]
https://github.com/stackforge/os-ansible-deployment-specs/blob/master/specs/kilo/keystone-federation.rst


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Aug 11, 2015 in openstack-dev by Jesse_Pretorius (4,920 points)   1 3 5

3 Responses

0 votes

On 08/11/2015 06:21 AM, Jesse Pretorius wrote:
Hi everyone,

Yesterday we released implementing Keystone as a Federated Service
Provider as part of the openstack-ansible deployment tooling [1].

This is a starting implementation which was purposefully scoped to
only use Shibboleth and only support SAML2. The scope was limited due
to the complexity of getting it working in the first place, but also
as this was seen to be the use-case which would give the most value.

The implementation, however, was done in a manner which we believe is
reasonably extendable to accommodate other protocols including OpenID,
Kerberos, etc. It should also be reasonably easy to develop the Mellon
SAML implementation instead of the Shibboleth module, although I that
would probably be slightly more complex. Our spec [2] has already
covered these extensions, so all we'd need to do is define blueprints
to cover them and target them at specific milestones.

We'd like to ask whether others would be interested in diving in to
implement the additional protocols, to implement the alternative
modauthmellon and also to apply other improvements as we roll on
towards the target of releasing liberty.
The simplest one is Kerberos + SSSD;

Kerberos provides Authentication.
modlookupidentity uses SSSD to get Groups. It turns LDAP into
another Federated identity, much simpler than the LDAP code in Keystone
(I am responsible for that mess).

We are working on automating this via Ansible on top of a RHEL/Centos 7
install to demo in Tokyo.

I am not certain if all the pieces are in place yet for Debian based
install. Specifically, it needs an updated sssd-dbus package.

We also have mod_mellon and Ipsilon working, as Jamie demo'ed at Pycon AU.

We're happy to work along side anyone who's not familiar with
openstack-ansible, or even ansible, to setup a test environment (this
can be done in about an hour) and to prepare a patch for review.

If you have any questions or comments, please feel free to contact me
via email or on IRC.

Best regards,

Jesse
IRC: odyssey4me

[1]
http://lists.openstack.org/pipermail/openstack-dev/2015-August/071748.html
[2]
https://github.com/stackforge/os-ansible-deployment-specs/blob/master/specs/kilo/keystone-federation.rst


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 12, 2015 by Adam_Young (19,940 points)   2 7 12
0 votes

On 12 August 2015 at 18:48, Adam Young ayoung@redhat.com wrote:

The simplest one is Kerberos + SSSD;

Kerberos provides Authentication.
modlookupidentity uses SSSD to get Groups. It turns LDAP into another
Federated identity, much simpler than the LDAP code in Keystone (I am
responsible for that mess).

We are working on automating this via Ansible on top of a RHEL/Centos 7
install to demo in Tokyo.

I am not certain if all the pieces are in place yet for Debian based
install. Specifically, it needs an updated sssd-dbus package.

We also have mod_mellon and Ipsilon working, as Jamie demo'ed at Pycon AU.

Sounds great!

Would you be prepared to put together some WIP reviews to add those to the
Keystone role in openstack-ansible? Even if they're non-working sketches
that we can work from and iterate on, that'd be great.

Note that we're looking at implementing some changes to broaden the
platform support too. We're moving some of the pieces into place for the
liberty [1] release and I'll be putting my thoughts down on multi-platform
host enablement [2] soon. Also, considering that it'd be easier to
comprehend, consume and iterate the ansible roles if they were independent
consumable units I've also proposed [3][4] to break them out into their own
repositories. It'd be great if you could provide your input.

[1] https://blueprints.launchpad.net/openstack-ansible/+spec/liberty
[2]
https://blueprints.launchpad.net/openstack-ansible/+spec/multi-platform-host
[3]
https://blueprints.launchpad.net/openstack-ansible/+spec/independent-role-repositories
[4] https://review.openstack.org/213779


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 19, 2015 by Jesse_Pretorius (4,920 points)   1 3 5
0 votes

On 08/19/2015 04:23 AM, Jesse Pretorius wrote:

On 12 August 2015 at 18:48, Adam Young <ayoung@redhat.com
ayoung@redhat.com> wrote:

The simplest one is Kerberos + SSSD;

Kerberos provides Authentication.
mod_lookup_identity uses SSSD to get Groups.  It turns LDAP into
another  Federated identity, much simpler than the LDAP code in
Keystone (I am responsible for that mess).

We are working on automating this via Ansible on top of a
RHEL/Centos 7 install to demo in Tokyo.

I am not certain if all the pieces are in place yet for Debian
based install.  Specifically, it needs an updated sssd-dbus package.

We also have mod_mellon and Ipsilon working, as Jamie demo'ed at
Pycon AU.

Sounds great!

Would you be prepared to put together some WIP reviews to add those to
the Keystone role in openstack-ansible? Even if they're non-working
sketches that we can work from and iterate on, that'd be great.

Our sample code is here:

https://github.com/jamielennox/rippowam

I wrote up a README for what we are doing:

https://github.com/admiyo/rippowam/blob/master/README.rst

The stuff you care about is here:

Setting up SSSD
https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/infopipe.yml

And
https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/keystone-sssd.yml

Note that we're looking at implementing some changes to broaden the
platform support too. We're moving some of the pieces into place for
the liberty [1] release and I'll be putting my thoughts down on
multi-platform host enablement [2] soon. Also, considering that it'd
be easier to comprehend, consume and iterate the ansible roles if they
were independent consumable units I've also proposed [3][4] to break
them out into their own repositories. It'd be great if you could
provide your input.

[1] https://blueprints.launchpad.net/openstack-ansible/+spec/liberty
[2]
https://blueprints.launchpad.net/openstack-ansible/+spec/multi-platform-host
[3]
https://blueprints.launchpad.net/openstack-ansible/+spec/independent-role-repositories
[4] https://review.openstack.org/213779


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 19, 2015 by Adam_Young (19,940 points)   2 7 12
...