We should add the ability to deploy RHEL OSP with Kerberos authentication enabled for Keystone and Horizon by leveraging Identity Management (IPA) in RHEL. This should be possible via all supported installation methods. At a high-level, the configuration for this deployment will involve:
- Setting up Kerberos services in IdM for Keystone and Horizon and fetching keytabs.
- Configuring httpd with mod_auth_kerb to provide Kerberos authentication via REMOTE_USER for Keystone and Horizon.
- Configuring SSSD to map the LDAP appropriate attributes from IdM that are needed by Keystone.
- Configuring httpd with mod_lookup_identity to provide user/group information via environment variables for Keystone.
- Configuring Keystone mapping code to allow it to leverage the environment variables provided by mod_lookup_identity.
- Defining OpenStack service users in a separate Domain in Keystone's SQL identity backend.
This bug will serve as a tracker for the various sub-tasks that are needed to complete this work across components.
can we close it for old age?
(In reply to Amit Ugol from comment #2)
> can we close it for old age?
Yes, we don't need a distribution bug for this. We have had requests for this, but it is being tracked at the Keystone level.