[rhos-list] Openstack GSSAIP (Kerberos 5) and sasl for services question
Paul Robert Marino
prmarino1 at gmail.com
Wed Oct 30 16:14:53 UTC 2013
Ive been looking over this doc because I would like to secure the
backend component of openstack with Kerberos.
http://openstack.redhat.com/Keystone_integration_with_IDM
I don't want to do a full IPA server for this just Kerberos which for
the most part is fairly simple.
I already have preexisting Heimdal Kerberos 5 server cluster from an
other project which I can utilize in the environment which works fine
with the MIT client libraries and does its own replication without
using LDAP as a backend.
so far most of it seems fairly strait forward but I found one thing I
found in the doc thats messy and was hoping the doc is out of date and
maybe there was a cleaner solution. here is what I have an issue with
"
The problem with this is that the key we just obtained is only good
for a specified period of time: 24 hours by default. Once 24 hours
passes the Kerberos ticket will no longer be valid and nova and cinder
will no longer be able to communicate with qpidd.
The fix for now is to create a cron job which will renew these credentials.
"
I also assume the same would be true for all of the openstack services
not just nova and cinder,
has the ability to specify and utilize a keytab been added or does any
one know if there are any plans to add the feature in the future. If
not who should I be nagging :-) .
Really it needs to be added to all of the openstack services it it
isn't there already
More information about the rhos-list
mailing list