Change-Id: I70fa2cc7e2fd35895cd11db57fef00199680ce2b
3.2 KiB
- title
-
Kerberos
Kerberos
Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is the basis for authentication to AFS.
At a Glance
- Hosts
-
- kdc*.openstack.org
- Puppet
-
- https://git.openstack.org/cgit/openstack-infra/puppet-kerberos/tree/
modules/openstack_project/manifests/kdc.pp
- Projects
- Bugs
- Resources
OpenStack Realm
OpenStack runs a Kerberos Realm
called
OPENSTACK.ORG
. The realm contains a
Key Distribution Center
or KDC which is spread across a
master and a slave, as well as an admin server which only runs on the
master. Most of the configuration is in puppet, but initial setup and
the management of user accounts, known as principals
, are
manual tasks.
Realm Creation
On the first KDC host, the admin needs to run krb5_newrealm by hand. Then admin principals and host principles need to be set up.
Set up host principals for slave propogation:
# execute kadmin.local then run these commands
addprinc -randkey host/kdc01.openstack.org
addprinc -randkey host/kdc02.openstack.org
ktadd host/kdc01.openstack.org
ktadd host/kdc02.openstack.org
Copy the file /etc/krb5.keytab to the second kdc host.
The puppet config sets up slave propagation scripts and cron jobs to run them.
Adding A User Principal
First, ensure the user has an entry in puppet so they have a unix shell account on our hosts. SSH access is not necessary, but keeping track of usernames and uids with account entries is necessary.
Then, add the user to Kerberos using kadmin (while authenticated as a kerberos admin) or kadmin.local on the kdc:
kadmin: addprinc $USERNAME@OPENSTACK.ORG
Where $USERNAME is the lower-case username of their unix account in puppet. OPENSTACK.ORG should be capitalized.
If you are adding an admin principal, use username/admin@OPENSTACK.ORG. Admins should additionally have regular user principals.
Adding A Service Principal
A service principal is one that corresponds to an application rather than a person. There is no difference in their implementation, only in conventions around how they are created and used. Service principals are created without passwords and keytab files are used instead for authentication. The program k5start can use keytab files to automatically obtain kerberos credentials (and AFS if needed).
Add the service principal to Kerberos using kadmin (while authenticated as a kerberos admin) or kadmin.local on the kdc:
kadmin: addprinc -randkey service/$NAME@OPENSTACK.ORG
Where $NAME is the lower-case name of the service. OPENSTACK.ORG should be capitalized.
Then save the principal's keytab:
kadmin: ktadd -k /path/to/$NAME.keytab service/$NAME@OPENSTACK.ORG