OpenStack Identity (keystone)

Add new v3 resource to provide for Kerberos authentication

Registered by Rob Crittenden on 2013-06-07

Kerberos is expensive to perform on every request. A special resource should be created so mod_auth_kerb can be configured to authenticate using Kerberos. Subsequent commands can use the existing authentication token (preferably stored in a python-keyring) until it expires. Keystone is already aware when it doesn't have a valid token and will automatically retrieve authentication via the /tokens resource. It is proposed that a /tokens/kerberos resource be created and mod_auth_kerb be configured to require Negotiate authentication on that. The response will be similar to that of a username/password authentication, either a 401 or an X-Auth-Token.

Read the full specification

Blueprint information

Status:: Complete

Approver:: None

Priority:: Undefined

Drafter:: Rob Crittenden

Direction:: Needs approval

Assignee:: Rob Crittenden

Definition:: New

Series goal:: None

Implementation:: Implemented

Milestone target:: None

Started by: Dolph Mathews on 2014-10-14

Completed by: Morgan Fainberg on 2014-10-20

Related branches

Related bugs

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/kerberos-authentication,n,z

Addressed by: https://review.openstack.org/74317 (abandoned)
Initial kerberos middleware implementation. This patch will allow to use kerberos credentials to retrieve a token during a post on /v3/tokens

Addressed by: https://review.openstack.org/95989 (merged)
Kerberos as method name

Addressed by: https://review.openstack.org/101302 (merged)
test REMOTE_USER does not authenticate if external (and all other methods) are missing this test ensures that the token would come through as unauthenticated

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Jason Heiss