Juju Charm - Keystone Kerberos backend
Go to file
Alex Kavanagh 3b966c4924 Migrate charm to charmhub latest/edge track
Change-Id: Id4e104c371610c734529d4080ae4e62a38c23d6c
2022-01-27 20:31:55 +00:00
src Migrate charm to charmhub latest/edge track 2022-01-27 20:31:55 +00:00
unit_tests Initial commit of the keystone-kerberos charm 2020-03-18 16:22:10 -07:00
.gitignore Initial commit of the keystone-kerberos charm 2020-03-18 16:22:10 -07:00
.gitreview Add gitreview, zuul, groovy and victoria bits 2020-08-04 15:53:20 +02:00
.stestr.conf Initial commit of the keystone-kerberos charm 2020-03-18 16:22:10 -07:00
.travis.yml Initial commit of the keystone-kerberos charm 2020-03-18 16:22:10 -07:00
.zuul.yaml Add gitreview, zuul, groovy and victoria bits 2020-08-04 15:53:20 +02:00
charmcraft.yaml Migrate charm to charmhub latest/edge track 2022-01-27 20:31:55 +00:00
LICENSE Initial commit of the keystone-kerberos charm 2020-03-18 16:22:10 -07:00
metadata.yaml Migrate charm to charmhub latest/edge track 2022-01-27 20:31:55 +00:00
osci.yaml Migrate charm to charmhub latest/edge track 2022-01-27 20:31:55 +00:00
pip.sh Add xena bundles 2021-09-27 10:56:37 +01:00
README.md Trivial improvements 2020-08-11 09:45:46 +02:00
rebuild Add xena bundles 2021-09-27 10:56:37 +01:00
requirements.txt Add yoga bundles and release-tool syncs 2021-11-17 13:50:48 -05:00
test-requirements.txt Add yoga bundles and release-tool syncs 2021-11-17 13:50:48 -05:00
tox.ini Add yoga bundles and release-tool syncs 2021-11-17 13:50:48 -05:00

Overview

Keystone is the identity service used by OpenStack for authentication and high-level authorisation.

The keystone-kerberos subordinate charm allows for per-domain authentication via a Kerberos ticket, thereby providing an additional layer of security. It is used in conjunction with the keystone charm.

An external Kerberos server is a prerequisite.

Note

: The keystone-kerberos charm is supported starting with OpenStack Queens.

Warning

: This charm is in a preview state and should not be used in production. See the OpenStack Charm Guide for more information on preview charms.

Usage

Configuration

This section covers common and/or important configuration options. See file config.yaml for the full list of options, along with their descriptions and default values. See the Juju documentation for details on configuring applications.

kerberos-realm

The kerberos-realm option is used to supply the external Kerberos realm name.

kerberos-server

The kerberos-server option is used to supply the external Kerberos server hostname.

kerberos-domain

The kerberos-domain option is the OpenStack domain against which Kerberos authentication should be used.

Deployment

Let file kerberos.yaml contain the deployment configuration:

    keystone-kerberos:
        kerberos-realm: "PROJECT.SERVERSTACK"
        kerberos-server: "freeipa.project.serverstack"
        kerberos-domain: "k8s"

Deploy keystone-kerberos with other essential applications:

juju deploy keystone
juju deploy openstack-dashboard
juju deploy --config kerberos.yaml --resource=/home/ubuntu/keystone.keytab keystone-kerberos
juju add-relation keystone openstack-dashboard
juju add-relation keystone keystone-kerberos

See the next section for retrieving the keytab file. It can also be added to the application post-deploy:

juju attach-resource keystone-kerberos keystone_keytab=keystone.keytab

Kerberos pre-requisites - the Keystone service keytab

In an external Kerberos server, a service must be created for the Keystone Principal.

  1. First determine the FQDN of the Keystone server. For example:

    keystone-server.project.serverstack
    

    Ensure that the Keystone server can resolve the Kerberos server hostname. If it can't, consider adding an entry to /etc/hosts.

  2. In the Kerberos server, create the host and service. This example is based on a FreeIPA Kerberos server:

    ipa host-add keystone-server.project.serverstack --ip-adress=10.0.0.2
    ipa service-add HTTP/keystone-server.project.serverstack
    ipa service-add-host HTTP/keystone-server.project.serverstack --hosts=keystone-server.project.serverstack
    

    If you have multiple Keystone servers, you should add each host to the principal:

    ipa host-add-principal keystone-server HTTP/<keystone-other-hostname>@PROJECT.SERVERSTACK
    
  3. Retrieve the keytab associated with this service:

    ipa-getkeytab -p HTTP/keystone-server.project.serverstack -k keystone.keytab
    

Authenticate from a host

The below steps show how to authenticate from a host using the openstack CLI client.

  1. Ensure that the following software is installed on the host:

    sudo apt install krb5-user python3-openstackclient python3-requests-kerberos
    
  2. Retrieve a token for an existing user in the Kerberos/LDAP directory.

    kinit <username>
    
  3. Source the OpenStack rc file.

    source k8s-user.rc
    

    Where the contents of k8s-user.rc is:

    export OS_AUTH_URL=http://kerberos-server.project.serverstack:5000/krb/v3
    export OS_PROJECT_ID=<projectID>
    export OS_PROJECT_NAME=<kerberos_domain> # i.e k8s
    export OS_PROJECT_DOMAIN_ID=<domainID>
    export OS_REGION_NAME="RegionOne"
    export OS_INTERFACE=public
    export OS_IDENTITY_API_VERSION=3
    export OS_AUTH_TYPE=v3kerberos
    
  4. Test the client

    openstack token issue
    

Bugs

Please report bugs on Launchpad.

For general charm questions refer to the OpenStack Charm Guide.