Project

General

Profile

Kerberos authn AD authnauthz

Summary

Allow CLI users to authenticate via kerberos. Allow CLI users to autenticate and authorize via AD or LDAP.

Owners

  • Sage Weil (Red Hat)
  • Name (Affiliation)
  • Name

Interested Parties

  • Name (Affiliation)
  • Name (Affiliation)
  • Name

Current Status

Internally Ceph users 'cephx' to authenticate users via a shared secret. The monitors have a simple user database that maps users onto capabilties (and stores their secrets). The client authenticates against the monitor, and the mon provides the client with a signed ticket that can be presented to other daemons (osds, mdss) to authenticate and prove authorization.

Detailed Description

The first step is to allow the authentication step to use kerberos. Instead of storing a secret, the mon would store a kerberos user associated with the ceph user. The client would request the ticket from kerberos, pass it to the mon during the initial handshake, and the mon would use the kerberos libs to authenticate the ticket. If authentic, everything else proceeds as before (it provides the user with a cephx ticket to do real work). This will initially require that users be defined in the ceph user db that map to kerberos users (i.e., we'll use kerberos only for authentication).
In order to use existing infrastructure for authorization as well (and avoid having to define individual users in the ceph user db), there are a few different paths.
We can use LDAP in the mon to map authenticated users to their credentials. This will work in more traditional Unix kerberos environments.We can parse the AD blob in the kerberos ticket to determine what authorization the user has. There are some implementation challenges here (what existing projects can we leverage to avoid reimplementing this) and some configuration challenges (how do we interpret the AD credentials and map that onto ceph roles).

Work items

Coding tasks

  1. Task 1
  2. Task 2
  3. Task 3

Build / release tasks

  1. Task 1
  2. Task 2
  3. Task 3

Documentation tasks

  1. Task 1
  2. Task 2
  3. Task 3

Deprecation tasks

  1. Task 1
  2. Task 2
  3. Task 3