This charm supports the use of Kerberos as a security mechanism for authentication through keystone.
Keystone is the identity service used by OpenStack for authentication and high-level authorisation.
The keystone-kerberos subordinate charm allows for per-domain authentication via a Kerberos ticket, thereby providing an additional layer of security. It is used in conjunction with the keystone charm.
An external Kerberos server is a prerequisite.
Note: The keystone-kerberos charm is supported starting with OpenStack Queens.
Warning: This charm is in a preview state and should not be used in production. See the OpenStack Charm Guide for more information on preview charms.
This section covers common and/or important configuration options. See file
config.yaml for the full list of options, along with their descriptions and
default values. See the Juju documentation for details
on configuring applications.
kerberos-realm option is used to supply the external Kerberos realm name.
kerberos-server option is used to supply the external Kerberos server
kerberos-domain option is the OpenStack domain against which Kerberos
authentication should be used.
kerberos.yaml contain the deployment configuration:
keystone-kerberos: kerberos-realm: "PROJECT.SERVERSTACK" kerberos-server: "freeipa.project.serverstack" kerberos-domain: "k8s"
Deploy keystone-kerberos with other essential applications:
juju deploy keystone juju deploy openstack-dashboard juju deploy --config kerberos.yaml --resource=/home/ubuntu/keystone.keytab keystone-kerberos juju add-relation keystone openstack-dashboard juju add-relation keystone keystone-kerberos
See the next section for retrieving the keytab file. It can also be added to the application post-deploy:
juju attach-resource keystone-kerberos keystone_keytab=keystone.keytab
Kerberos pre-requisites - the Keystone service keytab
In an external Kerberos server, a service must be created for the Keystone Principal.
First determine the FQDN of the Keystone server. For example:
Ensure that the Keystone server can resolve the Kerberos server hostname. If
it can't, consider adding an entry to
In the Kerberos server, create the host and service. This example is based on a FreeIPA Kerberos server:
ipa host-add keystone-server.project.serverstack --ip-adress=10.0.0.2 ipa service-add HTTP/keystone-server.project.serverstack ipa service-add-host HTTP/keystone-server.project.serverstack --hosts=keystone-server.project.serverstack
If you have multiple Keystone servers, you should add each host to the principal:
ipa host-add-principal keystone-server HTTP/<keystone-other-hostname>@PROJECT.SERVERSTACK
Retrieve the keytab associated with this service:
ipa-getkeytab -p HTTP/keystone-server.project.serverstack -k keystone.keytab
Authenticate from a host
The below steps show how to authenticate from a host using the
Ensure that the following software is installed on the host:
sudo apt install krb5-user python3-openstackclient python3-requests-kerberos
Retrieve a token for an existing user in the Kerberos/LDAP directory.
Source the OpenStack rc file.
Where the contents of
export OS_AUTH_URL=http://kerberos-server.project.serverstack:5000/krb/v3 export OS_PROJECT_ID=<projectID> export OS_PROJECT_NAME=<kerberos_domain> # i.e k8s export OS_PROJECT_DOMAIN_ID=<domainID> export OS_REGION_NAME="RegionOne" export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3 export OS_AUTH_TYPE=v3kerberos
Test the client
openstack token issue
Please report bugs on Launchpad.
For general charm questions refer to the OpenStack Charm Guide.
- (boolean) Enable debug logging
- (string) Custom name for UI
- (string) The OpenStack domain against which Kerberos authentication should be used.
- (string) The domain over which a Kerberos authentication server has the authority to authenticate a user, host or service. It is often the upper case version fo the name of the DNS domain over which is presides, i.e REALM.COM. Must be in caps.
- (string) Kerberos server name. Typically, the server name is composed of a name followed by the realm name, i.e, krb5.realm.com
- (string) TLS CA to use to communicate with other components in a deployment. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
- (string) TLS certificate to install and use for any listening services. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
- (string) TLS key to use with certificate specified as ``ssl_cert``. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
- (boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
- (boolean) Setting this to True will allow supporting services to log to syslog.
- (boolean) Enable verbose logging