Configuring Kerberos as the authentication mechanism for Keystone is not much different than Kerberizing any other Web application. The general steps are:
There is a killer feature in Java 8, and it is not Lambdas.
In a recent post, I described how I configured a web server to user mod_lookup_identity. Now, I use that configuration to provide a test for the recent Federation work in Keystone. This is a really rough proof of concept; do not expect to be able to use this in your production environments yet.
Continue reading
Keystone token signing suffers from Highlander Syndrome. When it comes to Token Signers:
“How can I integrate Kerberos in to a Keystone server and still maintain the UserId-Password based login.”
This is a fairly simple task, and works due to the fact that the AUTH_URL used to get a token does not need to match the other URLS returned by the service catalog for identity.
“Don’t repeat yourself.” This rule is such a core principal in programming it has been reduced to the acronym DRY. Yet, somehow, every web application framework out there ends up with a custom authorization framework; LDAP, SQL, and usually a Flat File authorization list.
Apache HTTPD can and should perform a cryptographic based authentication for your users. Even better, it should be able to return to you the user attributes necessary to perform accurate authorization. REMOTE_USER has been the standard ever since CGI first appeared for the web. Now we can extend that approach to a generic set of user attributes for authorization. mod_lookup_identity.
I’m starting on a proof-of-concept setup where, instead of using the LDAP backend for Keystone, I use mod_identity_lookup to fetch the data at the HTTPD layer. Here are the steps I went to configure the system.
Authentication is only the start of the Authorization process. A centralized user registry, enforced by strong cryptography must be enhanced by data local to the application in order to properly allow or deny access to specific operations on resources. Here is a real world example that should make things clearer: getting into a location in the USA that serves alcoholic beverages over the counter.
Line to get into the Club
While Packstack makes it easy to get OpenStack up and running, it does not (yet) support joining to an existing Directory (LDAP) server. I went through this recently and here are the steps I followed.
Continue reading
Once again, the moving efforts of OpenStack and Fedora have diverged enough that devstack did not run for me on Fedora 20. Now, while this is something to file a bug about, I like to understand the issue to have a fix in place before I report it. Here are my notes.
Continue reading
“The Long Gray Line” is a film about a man, fresh off the boat from Ireland in 1898, who becomes an long term fixture at West Point. I had heard of the movie for years, but never watched it before. My main impetus in watching it was to see what the Academy looked like before they built Eisenhower and MacArthur Barracks, Washington Hall, and the rest of the “new” buildings that made up so much of my experience there.
Funny how many scenes were shot with active Cadets playing extras. They didn’t even need period costumes, they just showed up in their issued uniforms. The officer and NCO uniforms changed visibly over the years, but not the Cadet uniforms.
When the Lusitania sunk, and the Trumpet sounded, the question was not “are we going to lose anyone” but “who are we going to lose.”
The train doesn’t stop at West Point anymore: there is an iron fence between the Train Station building (used for Social Events) and the still active tracks that periodically send trains to chase the climbing team from their perches near “Crew” wall. 20% Of the Corps of Cadets are women. Cadets have Majors, cars, and cell phones now. Much of the plain has be converted to Sprots fields. Graduation is held in Michie Statdium, not at Battle Monument. Central Divisions are gone, with the execption on the first division, kept as a Bank and Museum. Intercollegiate athletics have taken on a huge role, displacing military training as the primary form of physical exercise.
Cadets still take Boxing and Swimming. Cadets in trouble still walk their post in a military manner at the quicktime, 120 steps per minute, for several hours each weekend, until their hours are all worked off. Chapel, no longer mandatory, still fills a huge role in the lives of Cadets and Officers alike. West Point graduates still fill the upper officer ranks at disproportionate numbers to their commissioning ratio.
I mentally compared it to the movie, “The Butler.” Both told the story of an institution from the point of view of someone fairly far down the chain. Both are historical, and driven by real people and events. Both have their share of Schmaltz, of makeup and aging, of historical costumes often becoming the real star of a scene. Both deal with pieces of American Government. Most important, both show peepholes int exclusive institutions that are otherwise reserved for people who have committed themselves far beyond the average. Both have Eisenhower.
But where as “The Butler” shows the evolution of America, it is the static aspect of West Point that strikes home hardest. Even the New Buildings don’t radically alter the image of West Point, they just sharpen it. The waiters in the Mess Hall are still culled from the most recent of immigrants. The words to songs like “The Corps” and “The Alma Mater” may have been slightly adjusted to reflect the greater mixing of genders, the songs still instill the thrill from the presence of Ghostly Assemblage of The Long Gray Line.
There is always something a little silly in watching actors play roles when you know the real people involved. I was a Cadet, and watching a trained actor play one with all of the earnestness and fresh-faced appeal that is the hallmark of the 1950s feels almost like I am being aped. Of course, that must be true of any role copied from real events, and I take no real offence from it. It just further reinforces how strange West Point must seem to those whom have never attended it. How can your really understand that place until you have had a dream where you are in the wrong place, in the wrong uniform, desperately sprinting to get to formation? West Point may be America’s Camalot, but for me it truly is my Alma Mater.