[rhos-list] Openstack GSSAPI (Kerberos 5) and sasl for services question

Adam Young ayoung at redhat.com
Thu Oct 31 13:41:42 UTC 2013 

On 10/30/2013 12:14 PM, Paul Robert Marino wrote:
> Ive been looking over this doc because I would like to secure the
> backend component of openstack with Kerberos.
> http://openstack.redhat.com/Keystone_integration_with_IDM
>
> I don't want to do a full IPA server for this just Kerberos which for
> the most part is fairly simple.
> I already have preexisting Heimdal Kerberos 5 server cluster from an
> other project which I can utilize in the environment which works fine
> with the MIT client libraries and does its own replication without
> using LDAP as a backend.
>
> so far most of it seems fairly strait forward but I found one thing I
> found in the doc thats messy and was hoping the doc is out of date and
> maybe there was a cleaner solution. here is what I have an issue with
>
> "
>
> The problem with this is that the key we just obtained is only good
> for a specified period of time: 24 hours by default. Once 24 hours
> passes the Kerberos ticket will no longer be valid and nova and cinder
> will no longer be able to communicate with qpidd.
>
> The fix for now is to create a cron job which will renew these credentials.
>
>
> "
> I also assume the same would be true for all of the openstack services
> not just nova and cinder,
> has the ability to specify and utilize a keytab been added or does any
> one know if there are any plans to add the feature in the future. If
> not who should I be nagging :-) .
> Really it needs to be added to all of the openstack services it it
> isn't there already

It is a shortcoming addressed at the GSSAPI level, but that code is not 
in the RHEL 6 series yet.  In the future, you will be able to put a 
Keytab in the appropriate subdirectory under /var/run and the new TGT 
will be fetched upon demand.

Simo Sorce was involved with the projkect to do that and can provide 
more details.

>
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list

More information about the rhos-list mailing list