Now that Folsom development has started in earnest, I figured I’d follow Russell‘s example and write down a bit of my plan for work in the next couple of months.
To date, my involvement with Openstack has focused primarily on Keystone. Using that as a starting point, I want to continue it in two directions: deeper work on the identity management side, and expending HTTPD support beyond Keystone.
First is working on the Public Key Infrastructure (PKI) alternative to the Keystone Token architecture. In addition to implementing that blueprint, I have agreed to work with gyee and liemmn on making sure that the PKI work and the Key based authentication they are working on fit into an understandable narrative about the options available in Openstack.
Of course, my PKI work assumes web server support for PKI, which, shortest path, is using HTTPD. There is code from that example that I need to review and commit. In order for it to be usable, I need to set up and run a proof of concept system where Glance, Nova and Horizon all use Keystone from HTTPD.
Once I’ve made that work, I need to add support to devstack for it.
A follow on set of tasks will involve HTTPD-ifying Nova and Glance. To prep to site for this work, we are trying to establish a n URL naming scheme for Openstack.
While testing the EPEL packages of Openstack, I noticed that we lacked support for the VNC viewer noVNC. I am working with Anthony Young (no relation to me) to come up with a supportable packing format that will be accepted by the Debian and Fedora packaging standards.
Longer term, I want to be able to serve the noVNC javascript from Apache HTTPD, and talk back to HTTPD as well. There are two alternatives here:
- Use an Apache Websockets module and do it all in native code
- Add Websockets support to mod_wsgi.
The Google code approach uses mod_python. However, mod_python is not actively maintained, so I think this code is not going to work long haul. Making it work in mod_wsgi has hurdles to overcome. This leads me to favor the native approach as of now. I have the Apache websocket module built as an RPM, and will continue toward integrating the VNC proxy in C as an additional module.
hi i am student working on security extension on openstack . i have fully deplyod openstack on ubuntu server .. but still confused how can i use pki with keystone is there any good documentation still in pre amature phase so can you please help me
Sanjaya,
All my PKI work thus far is in the master branch on Keystone… there was one important fix that didn’t make it in to Folsom 3. If you are running Devstack, you should have that code.
Here are my notes on how to test.
http://www.spinics.net/linux/fedora/fedora-cloud/msg01644.html
There is more work to be done after this. The biggest thing is external Auth…I need to work up a blueprint for that.