Project

General

Profile

Kerberos authn AD authnauthz » History » Version 1

Jessica Mack, 07/03/2015 07:12 PM

1 1 Jessica Mack
h1. Kerberos authn AD authnauthz
2 1 Jessica Mack
3 1 Jessica Mack
h3. Summary
4 1 Jessica Mack
5 1 Jessica Mack
Allow CLI users to authenticate via kerberos.  Allow CLI users to autenticate *and* authorize via AD or LDAP.
6 1 Jessica Mack
7 1 Jessica Mack
h3. Owners
8 1 Jessica Mack
9 1 Jessica Mack
* Sage Weil (Red Hat)
10 1 Jessica Mack
* Name (Affiliation)
11 1 Jessica Mack
* Name
12 1 Jessica Mack
13 1 Jessica Mack
h3. Interested Parties
14 1 Jessica Mack
15 1 Jessica Mack
* Name (Affiliation)
16 1 Jessica Mack
* Name (Affiliation)
17 1 Jessica Mack
* Name
18 1 Jessica Mack
19 1 Jessica Mack
h3. Current Status
20 1 Jessica Mack
21 1 Jessica Mack
Internally Ceph users 'cephx' to authenticate users via a shared secret.  The monitors have a simple user database that maps users onto capabilties (and stores their secrets).  The client authenticates against the monitor, and the mon provides the client with a signed ticket that can be presented to other daemons (osds, mdss) to authenticate and prove authorization.  
22 1 Jessica Mack
 
23 1 Jessica Mack
h3. Detailed Description
24 1 Jessica Mack
25 1 Jessica Mack
The first step is to allow the authentication step to use kerberos.  Instead of storing a secret, the mon would store a kerberos user associated with the ceph user.  The client would request the ticket from kerberos, pass it to the mon during the initial handshake, and the mon would use the kerberos libs to authenticate the ticket.  If authentic, everything else proceeds as before (it provides the user with a cephx ticket to do real work).  This will initially require that users be defined in the ceph user db that map to kerberos users (i.e., we'll use kerberos only for authentication).
26 1 Jessica Mack
In order to use existing infrastructure for authorization as well (and avoid having to define individual users in the ceph user db), there are a few different paths.
27 1 Jessica Mack
We can use LDAP in the mon to map authenticated users to their credentials.  This will work in more traditional Unix kerberos environments.We can parse the AD blob in the kerberos ticket to determine what authorization the user has.  There are some implementation challenges here (what existing projects can we leverage to avoid reimplementing this) and some configuration challenges (how do we interpret the AD credentials and map that onto ceph roles). 
28 1 Jessica Mack
 
29 1 Jessica Mack
h3. Work items
30 1 Jessica Mack
31 1 Jessica Mack
h4. Coding tasks
32 1 Jessica Mack
33 1 Jessica Mack
# Task 1
34 1 Jessica Mack
# Task 2
35 1 Jessica Mack
# Task 3
36 1 Jessica Mack
37 1 Jessica Mack
h4. Build / release tasks
38 1 Jessica Mack
39 1 Jessica Mack
# Task 1
40 1 Jessica Mack
# Task 2
41 1 Jessica Mack
# Task 3
42 1 Jessica Mack
43 1 Jessica Mack
h4. Documentation tasks
44 1 Jessica Mack
45 1 Jessica Mack
# Task 1
46 1 Jessica Mack
# Task 2
47 1 Jessica Mack
# Task 3
48 1 Jessica Mack
49 1 Jessica Mack
h4. Deprecation tasks
50 1 Jessica Mack
51 1 Jessica Mack
# Task 1
52 1 Jessica Mack
# Task 2
53 1 Jessica Mack
# Task 3