Bug 1126594

Summary: [Tracker] Deploy RHEL OSP with Kerberos authentication via IdM in RHEL
Product: Red Hat OpenStack Reporter: Nathan Kinder <nkinder>
Component: distributionAssignee: Nathan Kinder <nkinder>
Status: CLOSED NOTABUG QA Contact: Udi Kalifon <ukalifon>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: augol, markmc, mburns, nkinder, srevivo
Target Milestone: ---Keywords: Tracking, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-15 21:43:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1122764, 1126865, 1126869, 1138424, 1170218, 1170223, 1170224, 1170225, 1180230    
Bug Blocks:    

Description Nathan Kinder 2014-08-04 20:54:05 UTC 
We should add the ability to deploy RHEL OSP with Kerberos authentication enabled for Keystone and Horizon by leveraging Identity Management (IPA) in RHEL.  This should be possible via all supported installation methods.  At a high-level, the configuration for this deployment will involve:

- Setting up Kerberos services in IdM for Keystone and Horizon and fetching keytabs.
- Configuring httpd with mod_auth_kerb to provide Kerberos authentication via REMOTE_USER for Keystone and Horizon.
- Configuring SSSD to map the LDAP appropriate attributes from IdM that are needed by Keystone.
- Configuring httpd with mod_lookup_identity to provide user/group information via environment variables for Keystone.
- Configuring Keystone mapping code to allow it to leverage the environment variables provided by mod_lookup_identity.
- Defining OpenStack service users in a separate Domain in Keystone's SQL identity backend.

This bug will serve as a tracker for the various sub-tasks that are needed to complete this work across components.
Comment 2 Amit Ugol 2018-05-21 08:20:06 UTC 
can we close it for old age?
Comment 3 Nathan Kinder 2018-10-15 21:43:05 UTC 
(In reply to Amit Ugol from comment #2)
> can we close it for old age?

Yes, we don't need a distribution bug for this.  We have had requests for this, but it is being tracked at the Keystone level.