You were working in a git repo and you committed your change to master. Happens all the time. Panic not.
Continue reading
Oh No! I Committed to master! What do I do?
Reply
Kerberos for Horizon and Keystone
I have a Horizon instance Proof of Concept. It has a way to go to be used in production, but the mechanism works.
Continue reading
Audit Belongs with Policy
Policy in OpenStack is the mechanism by which Role-Based-Access-Control is implemented. Policy is distributed in rules files which are processed at the time of a user request. Audit has come to mean the automated emission and collection of events used for security review. The two processes are related and need a common set of mechanisms to build a secure and compliant system.
Continue reading
Why POpen for OpenSSL calls
Many people have questioned why I chose to use popen to call the OpenSSL binary from Keystone and the auth_token middleware. Here is my rationale:
Continue reading
Unattended Install of a FreeIPA Server
As a developer, I install and uninstall the application I’m working on all the time. Back when I was working on FreeIPA full time, I had a couple of functions that I used to do an unattended install with some simple defaults. I recently cleaned them up a little. Since a few people have asked me for them, I’m posting them here.
Kerberos and Firewalls
Most datacenters block non-standard ports at their firewalls. This includes ports for lesser used protocols. The Kerberos Key Distribution Center (KDC) listens on port 88 (TCP and UDP). Which means that, practically speaking, a machine cannot get a ticket over the public internet. Last summer, Robby Harwood interned here at Red Hat. Together, we put together a plan to address this.
Continue reading
Keystone tox cheat sheet
While I grumbled when run_tests.sh was deprecated with just a terse message to go read the docs about tox, I have since switched over. Here is my quick tox transition tutorial.
Kerberos, Federation, and Horizon
I’ve been looking in to enabling Kerberos for Horizon. Since Horizon passes the Users credentials on to Keystone to get a token, Kerberos requires an additional delegation mechanism. This leads to some questions about how to handle delegation in the case of Federated Identity.
Kerberos, Keystone Client, and S4U2Proxy
Since my eventual goal is to Kerberize Horizon, my next step after getting a CGI solution working was to make use of the Keystone client. Since the Kerberos auth plugin is still a work-in-progress, it required a little tweaking, but not all that much.
Continue reading