Keystone and Kerberos

Posted on by

“How can I integrate Kerberos in to a Keystone server and still maintain the UserId-Password based login.”

This is a fairly simple task, and works due to the fact that the AUTH_URL used to get a token does not need to match the other URLS returned by the service catalog for identity.

The Keystone server is a modified devstack deployment using the Keystone LDAP Identity Backend to talk to a FreeIPA server. I’ve made an additional WSGIScriptAlias specific to Kerberos authentication. In /etc/httpd/conf.d/wsgi-keystone.conf I have:

WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/krb   /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin

WSGIDaemonProcess keystone_admin user=fedora group=wheel maximum-requests=10000
WSGIDaemonProcess keystone_main user=fedora group=wheel maximum-requests=10000
WSGIDaemonProcess keystone_krb_wsgi user=fedora group=wheel maximum-requests=10000


 WSGIProcessGroup keystone_admin
 NSSRequireSSL
 Authtype none



 WSGIProcessGroup keystone_main
 NSSRequireSSL
 Authtype none



  WSGIProcessGroup keystone_krb_wsgi
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms IPA.CLOUDLAB.FREEIPA.ORG
  Krb5KeyTab /etc/httpd/conf/openstack.keytab
  KrbSaveCredentials on
  KrbLocalUserMapping on
  Require valid-user
  NSSRequireSSL

With this configuration I am able to fetch a token using a curl call. I need to have performed kinit as the Principal that maps the Keystone user.

#!/usr/bin/bash
curl   \
-H "Content-Type:application/json" \
--negotiate -u : \
--cacert ca.crt  \
-d  '{ "auth": { "identity": { "methods": []}, "scope": { "project": { "domain": { "name": "Default" }, "name": "demo" } } } }' \
-X POST https://ayoungdevstack20.cloudlab.freeipa.org/keystone/krb/v3/auth/tokens 

#If you wish this script to return just the token, uncomment the next line and append it to the commmand above.
# | awk '/X-Subject-Token/ {print $2}'

Note that my service catalog returns URLS that point to the non-kerberized Locations in my HTTPD config. For example:

$ keystone endpoint-get --service=identity
+--------------------+------------------------------------------------------------------+
|      Property      |                              Value                               |
+--------------------+------------------------------------------------------------------+
| identity.publicURL | https://ayoungdevstack20.cloudlab.freeipa.org/keystone/main/v2.0 |
+--------------------+------------------------------------------------------------------+

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.