Why?
I recently had cause to try to get federated logins working on Openstack, using Kerberos as an identity provider. I couldn’t find anything on the Internet that described this in a simple way that is understandable by a relative newbie to Openstack, so this post is attempting to do that, because it has taken me a long time to find and digest all the info scattered around. Unfortunately the actual Openstack docs are a little incoherent at the moment.
Assumptions
- I’ve tried to get this working on older versions of Openstack but the reality is that unless you’re using Kilo or above it is going to be an uphill task, as the various parts (changes in Keystone and Horizon) don’t really come together until that release.
- I’m only covering the case of getting this working in devstack.
- I’m assuming you know a little about Kerberos, but not too much 🙂
- I’m assuming you already have a fairly vanilla installation of Kilo devstack in a separate VM or container.
- I use Ubuntu server. Some things will almost certainly need tweaking for other OSes.
Overview
The federated logins in Openstack work by using Apache modules to provide a remote user ID, rather than credentials in Keystone. This allows for a lot of flexibility but also provides a lot of pain points as there is a huge amount of configuration. The changes described below show how to configure Apache, Horizon and Keystone to do all of this.
Important!Ă‚Â Follow these instructions very carefully. Kerberos is extremely fussy, and the configuration in Openstack is rather convoluted.
Pre-requisites
If you don’t already have a Kerberos server, you can install one by followingĂ‚Â https://help.ubuntu.com/community/Kerberos
The Kerberos server needs a service principal for Apache so that Apache can connect. You need to generate a keytab for Apache, and to do that you need to know the hostname for the container/VM where you are running devstack and Apache. Assuming it’s simply called ‘devstackhost’:
$ kadmin -p <your admin principal> kadmin: addprinc -randkey HTTP/devstackhost kadmin: ktadd -k keytab.devstackhost HTTP/devstackhost
This will write a file called keytab.devstackhost, you need to copy it to your devstack host under /etc/apache2/auth/
You can test that this works with:
$ kinit -k -t /etc/apache2/auth/keytab.devstackhost HTTP/devstackhost
You may need to install the krb5-user package to get kinit. If there is no problem then the command prompt just reappears with no error. If it fails then check that you got the keytab filename right and that the principal name is correct. You can also try using kinit with a known user to see if the underlying Kerberos install is right (the realm and the key server must have been configured correctly, installing any kerberos package usually prompts to set these up).
Finally, the keytab file must be owned by www-data and read/write only by that user:
$ sudo chown www-data /etc/apache2/auth/keytab.devstackhost $ sudo chmod 0600 /etc/apache2/auth/keytab.devstackhost
Apache Configuration
Install the Apache Kerberos module:
$ sudo apt-get install libapache2-mod-auth-kerb
Edit the /etc/apache2/sites-enabled/keystone.conf file. You need to make sure the mod_auth_kerb module is installed, and add extra Kerberos config.
LoadModule auth_kerb_module modules/mod_auth_kerb.so <VirtualHost *:5000> ... # KERB_ID must match the IdP set in Openstack. SetEnv KERB_ID KERB_ID <Location ~ "kerberos" > AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbServiceName HTTP KrbSaveCredentials on KrbLocalUserMapping on KrbAuthRealms MY-REALM.COM Krb5Keytab /etc/apache2/auth/keytab.devstackhost KrbMethodK5Passwd on #optional-- if 'off' makes GSSAPI SPNEGO a requirement Require valid-user </Location>
Note:
- Don’t forget to edit theĂ‚Â KrbAuthRealms setting to your own realm.
- Don’t forget to editĂ‚Â Krb5Keytab to match your keytab filename
- Pretty much all browsers don’t support SPNEGO out of the box, soĂ‚Â KrbMethodK5Passwd is enabled here which will make the browser pop up one of its own dialogs prompting for credentials (more on that later). If this is off, the browser must support SPNEGO which will fetch the Kerberos credentials from your user environment, assuming the user is already authenticated.
- If you are using Apache 2.2 (used on Ubuntu 12.04) then KrbServiceName must be configured as HTTP/devstackhost (change devstackhost to match your own host name). This config is so that Apache uses the service principal name that we set up in the Kerberos server above.
Keystone configuration
Federation must be explicitly enabled in the keystone config.
http://docs.openstack.org/developer/keystone/extensions/federation.html explains this, but to summarise:
Edit /etc/keystone/keystone.conf and add the driver:
[federation] driver = keystone.contrib.federation.backends.sql.Federation trusted_dashboard = http://devstackhost/auth/websso sso_callback_template = /etc/keystone/sso_callback_template.html
(Change “devstackhost” again)
Copy the callback template to the right place:
$ cp /opt/stack/keystone/etc/sso_callback_template.html /etc/keystone/
Enable kerberos in the auth section of /etc/keystone/keystone.conf :
[auth] methods = external,password,token,saml2,kerberos kerberos = keystone.auth.plugins.mapped.Mapped
Set the remote_id_attribute, which tells Openstack which IdP was used:
[kerberos] remote_id_attribute = KERB_ID
Add the middleware to keystone-paste.conf. ‘federation_extension’ should be the second last entry in the pipeline:api_v3 entry:
[pipeline:api_v3] pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension service_v3
Now we have to create the database tables for federation:
$ keystone-manage db_sync --extension federation
Openstack Configuration
Federation must use the v3 API in Keystone. Get the Openstack RC file from the API access tab of Access & Security and then source it to get the shell API credentials set up. Then:
$ export OS_AUTH_URL=http://$HOSTNAME:5000/v3 $ export OS_IDENTITY_API_VERSION=3 $ export OS_USERNAME=admin
Test this by trying something like:
$ openstack project list
Now we have to set up the mapping between remote and local users. I’m going to add a new local group and map all remote users to that group. The mapping is defined with a blob of json and it’s currently very badly documented (although if you delve into the keystone unit tests you’ll see a bunch of examples). Start by making a file called add-mapping.json:
[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {"name": "Default"}
}
},
{
"group": {
"id": "GROUP_ID"
}
}
],
"remote": [
{
"type": "REMOTE_USER"
}
]
}
]
Now we need to add this mapping using the openstack shell.
openstack group create krbusers
openstack role add --project demo --group krbusers member
openstack identity provider create kerb group_id=`openstack group list|grep krbusers|awk '{print $2}'`
cat add-mapping.json|sed s^GROUP_ID^$group_id^ > /tmp/mapping.json
openstack mapping create --rules /tmp/mapping.json kerberos_mapping
openstack federation protocol create --identity-provider kerb --mapping kerberos_mapping kerberos
openstack identity provider set --remote-id KERB_ID kerb
(I’ve left out the command prompt so you can copy and paste this directly)
What did we just do there?
In my investigations, the part above took me the longest to figure out due to the current poor state of the docs. But basically:
- Create a group krbusers to which all federated users will map
- Make sure the group is in the demo project
- Create a new identity provider which is linked to the group we just created (the API frustratingly needs the ID, not the name, hence the shell machinations)
- Create the new mapping, then link it to a new “protocol” called kerberos which connects the mapping to the identity provider.
- Finally, make sure the remote ID coming from Apache is linked to the identity provider. This makes sure that any requests from Apache are routed to the correct mapping. (Remember above in the Apache configuration that we set KERB_ID in the request environment? This is an arbitrary label but they need to match.)
After all this, we have a new group in Keystone called krbusers that will contain any user provided by Kerberos.
Ok, we’re nearly there! Onwards to …
Horizon Configuration
Web SSO must be enabled in Horizon. Edit the config at /opt/stack/horizon/openstack_dashboard/local/local_settings.py and make sure the following settings are set at the bottom:
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("kerberos", _("Kerberos")),
)
WEBSSO_INITIAL_CHOICE="kerberos"
COMPRESS_OFFLINE=True
OPENSTACK_KEYSTONE_DEFAULT_ROLE="Member"
OPENSTACK_HOST="$HOSTNAME"
OPENSTACK_API_VERSIONS = {
"identity": 3
}
OPENSTACK_KEYSTONE_URL="http://$HOSTNAME:5000/v3"
Make sure $HOSTNAME is actually the host name for your devstack instance.
Now, restart apache
$ sudo service apache2 restart
and you should be able to test that the federation part of Keystone is working by visiting this URL
http://$HOSTNAME:5000/v3/OS-FEDERATION/identity_providers/kerb/protocols/kerberos/auth
You’ll get a load of json back if it worked OK.
You can now test the websso part of Horizon by going here:
http://$HOSTNAME:5000/v3/auth/OS-FEDERATION/websso/kerberos?origin=http://$HOSTNAME/auth/websso/
You should get a browser dialog which asks for Kerberos credentials, and if you get through this OK you’ll see the sso_callback_template returned to the browser.
Trying it out!
If you don’t have any users in your Kerberos realm, it’s easy to add one:
$ ktadmin ktadmin: addprinc -randkey <NEW USER NAME> ktadmin: cpw -pw <NEW PASSWORD> <NEW USER NAME>
Now visit your Openstack dashboard and you should see something like this:
Click “Connect” and log in and you should be all set.