Kerberos authn AD authnauthz » History » Version 1
Jessica Mack, 07/03/2015 07:12 PM
1 | 1 | Jessica Mack | h1. Kerberos authn AD authnauthz |
---|---|---|---|
2 | 1 | Jessica Mack | |
3 | 1 | Jessica Mack | h3. Summary |
4 | 1 | Jessica Mack | |
5 | 1 | Jessica Mack | Allow CLI users to authenticate via kerberos. Allow CLI users to autenticate *and* authorize via AD or LDAP. |
6 | 1 | Jessica Mack | |
7 | 1 | Jessica Mack | h3. Owners |
8 | 1 | Jessica Mack | |
9 | 1 | Jessica Mack | * Sage Weil (Red Hat) |
10 | 1 | Jessica Mack | * Name (Affiliation) |
11 | 1 | Jessica Mack | * Name |
12 | 1 | Jessica Mack | |
13 | 1 | Jessica Mack | h3. Interested Parties |
14 | 1 | Jessica Mack | |
15 | 1 | Jessica Mack | * Name (Affiliation) |
16 | 1 | Jessica Mack | * Name (Affiliation) |
17 | 1 | Jessica Mack | * Name |
18 | 1 | Jessica Mack | |
19 | 1 | Jessica Mack | h3. Current Status |
20 | 1 | Jessica Mack | |
21 | 1 | Jessica Mack | Internally Ceph users 'cephx' to authenticate users via a shared secret. The monitors have a simple user database that maps users onto capabilties (and stores their secrets). The client authenticates against the monitor, and the mon provides the client with a signed ticket that can be presented to other daemons (osds, mdss) to authenticate and prove authorization. |
22 | 1 | Jessica Mack | |
23 | 1 | Jessica Mack | h3. Detailed Description |
24 | 1 | Jessica Mack | |
25 | 1 | Jessica Mack | The first step is to allow the authentication step to use kerberos. Instead of storing a secret, the mon would store a kerberos user associated with the ceph user. The client would request the ticket from kerberos, pass it to the mon during the initial handshake, and the mon would use the kerberos libs to authenticate the ticket. If authentic, everything else proceeds as before (it provides the user with a cephx ticket to do real work). This will initially require that users be defined in the ceph user db that map to kerberos users (i.e., we'll use kerberos only for authentication). |
26 | 1 | Jessica Mack | In order to use existing infrastructure for authorization as well (and avoid having to define individual users in the ceph user db), there are a few different paths. |
27 | 1 | Jessica Mack | We can use LDAP in the mon to map authenticated users to their credentials. This will work in more traditional Unix kerberos environments.We can parse the AD blob in the kerberos ticket to determine what authorization the user has. There are some implementation challenges here (what existing projects can we leverage to avoid reimplementing this) and some configuration challenges (how do we interpret the AD credentials and map that onto ceph roles). |
28 | 1 | Jessica Mack | |
29 | 1 | Jessica Mack | h3. Work items |
30 | 1 | Jessica Mack | |
31 | 1 | Jessica Mack | h4. Coding tasks |
32 | 1 | Jessica Mack | |
33 | 1 | Jessica Mack | # Task 1 |
34 | 1 | Jessica Mack | # Task 2 |
35 | 1 | Jessica Mack | # Task 3 |
36 | 1 | Jessica Mack | |
37 | 1 | Jessica Mack | h4. Build / release tasks |
38 | 1 | Jessica Mack | |
39 | 1 | Jessica Mack | # Task 1 |
40 | 1 | Jessica Mack | # Task 2 |
41 | 1 | Jessica Mack | # Task 3 |
42 | 1 | Jessica Mack | |
43 | 1 | Jessica Mack | h4. Documentation tasks |
44 | 1 | Jessica Mack | |
45 | 1 | Jessica Mack | # Task 1 |
46 | 1 | Jessica Mack | # Task 2 |
47 | 1 | Jessica Mack | # Task 3 |
48 | 1 | Jessica Mack | |
49 | 1 | Jessica Mack | h4. Deprecation tasks |
50 | 1 | Jessica Mack | |
51 | 1 | Jessica Mack | # Task 1 |
52 | 1 | Jessica Mack | # Task 2 |
53 | 1 | Jessica Mack | # Task 3 |