*bump* Here's the tl;dr version:
- How have other folks handled integration of OpenStack with existing authN/authZ infrastructures? I'm particularly interested in the automatic mapping of existing LDAP groups to roles/tenants within openstack. - Are there plans to add support for the auth plugins to the *client modules and CLI tools going forward? I'd be interested in contributing this if it's on the roadmap and hasn't been done yet. - Are there plans to add support for auth plugins/external au th to Horizon? As above, I'm interested in implementing this if there's interest. - I see vague references in the documentation/*client code to using certificates for authentication (without the need for httpd external authentication) which would also eliminate the credentials-in-environment- variables issue. Is using PKI for authentication going to be supported? If so what's the status? Am I perhaps posting this to the wrong list? I didn't get any replies from my original post. Thanks! -Aaron On Tue, May 7, 2013 at 1:52 PM, Aaron Knister <aaron.knis...@gmail.com>wrote: > Hi Everyone, > > I'm looking for feedback and input about what other sites are doing for > authentication and authorization with OpenStack. > > First, some background: > > I'm currently evaluating OpenStack (Grizzly), specifically working on > integration with Active Directory. I'm unable to modify the schema to allow > groupOfNames as a SUP of organizationalRole so I've implemented a > workaround using openldap and several of its overlays backends to sit in > front of AD. That all works just fine, however I really would like to be > able to map AD groups to roles/tenants. I suspect I'll end up writing some > code to do this-- shouldn't be too hard. > > Also on the subject of Active Directory, it's a show stopper for me to put > un-encrypted AD credentials in environment variables to then pass to the > various openstack CLI progs. My ideal workaround would be to use Kerberos > authentication which I actually have working. I setup keystone to run under > apache based on this documentation with some tweaks here and there: > > http://docs.openstack.org/developer/keystone/external-auth.html > > I created an openstack client auth plugin (based on the VOMS auth plugin) > using requests_kerberos and this works well with the nova client, however > none of the other client tools, including horizon, seem to support > authentication plugins or the external authentication concept in general. > > So, here are my questions: > > - How have other folks handled integration of OpenStack with existing > authN/authZ infrastructures? I'm particularly interested in the automatic > mapping of existing LDAP groups to roles/tenants within openstack. > - Are there plans to add support for the auth plugins to the *client > modules and CLI tools going forward? I'd be interested in contributing this > if it's on the roadmap and hasn't been done yet. > - Are there plans to add support for auth plugins/external au th to > Horizon? As above, I'm interested in implementing this if there's interest. > - I see vague references in the documentation/*client code to using > certificates for authentication (without the need for httpd external > authentication) which would also eliminate the > credentials-in-environment-variables issue. Is using PKI for authentication > going to be supported? If so what's the status? > > Thanks in advance! > > -Aaron >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
