Horizon is the Web Dashboard for OpenStack. Since it manages some very sensitive information, it should be accessed via SSL. I’ve written up in the past how to do this for a generic web server. Here is how to apply that approach to Horizon.
Continue reading
Horizon is The OpenStack Dashboard. It is a DJango (Python) Web app. During a default installation, Horizon has resources at one level under the main Hostname in the URL scheme. For example, authentication is under http://hostname/auth.
Devstack performs single system deployments. Packstack has an “all-in-one” option that does the same thing. If these deployment tools are going to deploy other services via HTTPD, Horizon needs to be taught how to share the URL space. Fortunately, this is not hard to do.
Continue reading
From a co-worker:
amend is new to me… will the updated patch be a full patch to the original source or a patch to the previous patch?
Here’s how I explain it.
Continue reading
The PKI version of the Keystone tokens use a standard format for cryptographic signing of documents. Crypto Message Syntax (CMS) is the mechanism behind S/MIME and is well supported by the major cryptographic libraries: OpenSSL and NSS both have well documented CMS support. Messaging in OpenStack requires guaranteed identification of the author.
There is more to the certmonger story. A lot more. After my last attempt I tried to use certmonger:
I was not 100% successful, but the attempt did have some positive results.
This was a response to a post of mine in 2010. The comment was unformatted in the response, and I wanted to get it readable. Its a great example of making a Kerberized web call.
Courtesy of Rich Megginson
Note: requires MIT kerberos 1.11 or later if you want to skip doing the kinit, and just let the script do the kinit implicitly with the keytab.
import kerberos import sys import os from requests.auth import AuthBase import requests import json class IPAAuth(AuthBase): def __init__(self, hostname, keytab): self.hostname = hostname self.keytab = keytab self.token = None self.refresh_auth() def __call__(self, request): if not self.token: self.refresh_auth() request.headers['Authorization'] = 'negotiate ' + self.token return request def refresh_auth(self): if self.keytab: os.environ['KRB5_CLIENT_KTNAME'] = self.keytab else: LOG.warn('No IPA client kerberos keytab file given') service = "HTTP@" + self.hostname flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG try: (_, vc) = kerberos.authGSSClientInit(service, flags) except kerberos.GSSError, e: LOG.error("caught kerberos exception %r" % e) raise e try: kerberos.authGSSClientStep(vc, "") except kerberos.GSSError, e: LOG.error("caught kerberos exception %r" % e) raise e self.token = kerberos.authGSSClientResponse(vc) hostname, url, keytab, cacert = sys.argv[1:] request = requests.Session() request.auth = IPAAuth(hostname, keytab) ipaurl = 'https://%s/ipa' % hostname jsonurl = url % {'hostname': hostname} request.headers.update({'Content-Type': 'application/json', 'Referer': ipaurl}) request.verify = cacert myargs = {'method': 'dnsrecord_add', 'params': [["testdomain.com", "test4.testdomain.com"], {'a_part_ip_address': '172.31.11.4'}], 'id': 0} resp = request.post(jsonurl, data=json.dumps(myargs)) print resp.json() myargs = {'method': 'dnsrecord_find', 'params': [["testdomain.com"], {}], 'id': 0} resp = request.post(jsonurl, data=json.dumps(myargs)) print resp.json() |
Run the script like this:
python script.py ipahost.domain.tld ‘https://%(hostname)s/ipa/json’ myuser.keytab /etc/ipa/ca.crt |
We want to replace the shell call to openssl for certificate generation in Keystone (and the rest of OpenStack) with calls to Certmonger. Certmonger supports both OpenSSL and NSS. Certmonger can support a selfsigned approach, as well as tie in to a real Certificate Authority. Here are the steps I took to test out selfsigning, as well as my notes for follow on work.
Continue reading
The maximum header size between a HTTPD and an WSGI process is fixed at 8 Kilobytes. With a sufficiently large catalog, the token in PKI format won’t fit. Compression seems like it would be such an easy solution. But the there is a Hobgoblin or two hiding in the shadows.
Continue reading
Akai recently released a USB version of their Electronic Wind Instrument (EWI) which I was able to purchase for under $200. I was fairly quickly able to get it running using QJackCtl and QSynth. But then I wanted to understand what was happening. That involved spelunking into the four subsystems that make up the title of this post.
Continue readingThe majority of web service calls in OpenStack require token validation. Checking a token ID against a list is a cheap hashtable lookup. Comparing a token to a set of events is more expensive. How can we keep costs down?
Continue reading