Bug 1126594 - [Tracker] Deploy RHEL OSP with Kerberos authentication via IdM in RHEL
Summary: [Tracker] Deploy RHEL OSP with Kerberos authentication via IdM in RHEL
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: distribution
Version: 5.0 (RHEL 7)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Nathan Kinder
QA Contact: Udi Kalifon
Depends On: 1122764 1126865 1126869 1138424 1170218 1170223 1170224 1170225 1180230
TreeView+ depends on / blocked
Reported: 2014-08-04 20:54 UTC by Nathan Kinder
Modified: 2018-10-15 21:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2018-10-15 21:43:05 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Nathan Kinder 2014-08-04 20:54:05 UTC
We should add the ability to deploy RHEL OSP with Kerberos authentication enabled for Keystone and Horizon by leveraging Identity Management (IPA) in RHEL.  This should be possible via all supported installation methods.  At a high-level, the configuration for this deployment will involve:

- Setting up Kerberos services in IdM for Keystone and Horizon and fetching keytabs.
- Configuring httpd with mod_auth_kerb to provide Kerberos authentication via REMOTE_USER for Keystone and Horizon.
- Configuring SSSD to map the LDAP appropriate attributes from IdM that are needed by Keystone.
- Configuring httpd with mod_lookup_identity to provide user/group information via environment variables for Keystone.
- Configuring Keystone mapping code to allow it to leverage the environment variables provided by mod_lookup_identity.
- Defining OpenStack service users in a separate Domain in Keystone's SQL identity backend.

This bug will serve as a tracker for the various sub-tasks that are needed to complete this work across components.

Comment 2 Amit Ugol 2018-05-21 08:20:06 UTC
can we close it for old age?

Comment 3 Nathan Kinder 2018-10-15 21:43:05 UTC
(In reply to Amit Ugol from comment #2)
> can we close it for old age?

Yes, we don't need a distribution bug for this.  We have had requests for this, but it is being tracked at the Keystone level.

Note You need to log in before you can comment on or make changes to this bug.