Ever get that feeling that an epiphany is right around the corner? I spent a good portion of the OpenStack summit with that feeling. I knew that it would not be earth shattering, or lead me to want to rewrite Keystone, but rather a clarification of how a bunch of things should fall together. The “click” happened on the second to last day, and it can be summarized in a few key points.
OpenStack Keystone tokens can become too big to fit in the headers between mod_wsgi and the WSGI applications. Compression mitigates the problem somewhat, but if token sizes continue to grow, eventually they outpace the benefits of compression. How can we keep them to a minimal size?
In my last post, I discussed how to extract the signing information out of a token. But just because the signature on a document is valid does not mean that the user who signed it was authorized to do so. How can we got from a signature to validating a token? Can we use that same mechanism to sign other OpenStack messages?
The specification For multiple signers requires a mechanism to determine who signed the token and then determine I’d the signer had the authority to issue a token for the scope of the token. These are the steps he he necessary to perform that validation.
Ansible provides management for a large array of servers using ssh as the access mechanism. This is a good match for FreeIPA. However, by default Ansible uses a flat file to store groups of hosts. How can we get that info from FreeIPA? Continue reading
I have a Devstack setup. I’ve hacked the Keystone repo to add some cool feature. I want to test it out with an RDO deployment. How do I make my own RPM for the RDO system?
This is not a how to. This is more like a police log.
You have a cloud, I have a cloud.
Neither of use are willing to surrender control of our OpenStack deployments, but we need to inter-operate.
We both have Keystone servers. Those servers are the system of record for user authorization through out our respective deployments. We each wish to maintain control of our assignments. How can we make a set of resources that can be shared? It can’t be done today. Here is why not, and how to make it possible.
Keystone supports multiple backend for Identity. While SQL is the default, LDAP is one of the most used. With Federation protocols, the user data won’t even be stored in the identity backend at all. All three of these approaches have different use cases, and all work together. The way that that I’ve come to think of them is as three types of Keystone users: employees, partners, and customers. Take the following as a metaphor, not literal truth.
Kerberos was slow when talking to my demo machine. As part of debugging it, I was making DNS changes, so I pointed my machine directly to the DNS server. It was at my hosting provider, and authoritative for my domain.
As I tend to do, I idly checked Facebook. Its a bad habit, like biting nails. Sometimes I’m not even aware that I am doing it. This time, however, a browser warning brought me up short:
“Security Error: Domain Name Mismatch”
The certificate reported that it was valid for a domain that ended in the same domain name as the nameserver I was pointing at.
Someone just like me had the ability to push up whatever they wanted to the DNS server. This is usually fine: only the Authoritative DNS server for a site is allowed to replicate changes. It did mean, however, that anyone that was looking at this particular DNS server would be directed to something they were hosting themselves. I’m guessing it was a Phishing attempt as I did not actually go to their site to check.
Most of us run laptops set up to DNS from the DHCP server we connect to. Which means that if we are at a Coffee Shop, the local library, or the Gym, we are running against an unknown DNS server. The less trusted the location, the less reason to trust the DHCP server.
This is a nasty problem to work around. There are things you can do to mitigate, such as whitelisting DNS servers. The onus, however, should not be up to the end users. DNSSec attempts to address the issues. Until we have that, however, use HTTPS where ever possible. And check the certificates.
Most people cannot write to the LDAP servers except to manage their own data. Thus, OpenStack requiring the Service users in LDAP is a burden that many IT organizations cannot assume. In Juno we have support for Multiple backends for domains.