opennebulaconf 2016 - sunstone integration with freeipa using single sign by alvaro simon, ugent
TRANSCRIPT
Sunstone integration with FreeIPASunstone integration with FreeIPAUsing Single Sign OnUsing Single Sign On
ÁLVARO SIMÓN GARCÍA - HPC UGENT
OpenNebula Conference – October 26th 2016 Barcelona
CONTENTS‒Who are we?‒Single Sign On requirements‒About FreeIPA‒Howto Kerberise Sunstone‒Links
WHO ARE WE?
OpenNebula Conference – October 26th 2016 Barcelona 4
HPC-UGent
– Team within ICT Department of Ghent University.
– HPC-UGent provides centralised scientific services, training and support
for researchers from Ghent university, industry and other knowledge
institutes.
– Partner of Flemish Supercomputer Center (Vlaams Supercomputer
Centrum - VSC)
OpenNebula Conference – October 26th 2016 Barcelona 5
SSO REQUIREMENTS
OpenNebula Conference – October 26th 2016 Barcelona 7
SSO requirements
– It should provide access for the VSC users to the
HPC UGent cloud infrastructure.
–Must be secure. User connections must be encrypted
by host certificates.
–Disable username/password logins.
–Easy to use.
OpenNebula Conference – October 26th 2016 Barcelona 8
ABOUT FREEIPA
OpenNebula Conference – October 26th 2016 Barcelona 9
FreeIPA
–An integrated security information management solution based on
GNU/Linux, 389 Directory server, MIT Kerberos, NTP, DNS and
Dogtag technologies.
–Consist of a web interface and command-line administration tools.
–Provides centralized authentication, authorization and account
information.
–Provides redundancy and scalability.
–Single Sign On authentication is provided via the MIT Kerberos KDC.
OpenNebula Conference – October 26th 2016 Barcelona 10
OpenNebula Conference – October 26th 2016 Barcelona 11
OpenNebula Conference – October 26th 2016 Barcelona 12
KERBERISE SUNSTONE
OpenNebula Conference – October 26th 2016 Barcelona 13
Requirements
–A working Kerberos KDC service.
–Sunstone service executed by Passenger in Apache.
–A cron script/daemon (or IPA ldap) to synchronize the
internal OpenNebula users with the FreeIPA
database.● Used to enable/disable known users in OpenNebula db.
OpenNebula Conference – October 26th 2016 Barcelona 14
Apache configuration example
OpenNebula Conference – October 26th 2016 Barcelona 15
LoadModule auth_gssapi_module modules/mod_auth_gssapi.so <VirtualHost *:443>
ServerName myhost.example.com PassengerUser oneadmin DocumentRoot /usr/lib/one/sunstone/public <Directory /usr/lib/one/sunstone/public> AuthType GSSAPI AuthName "Kerberos login" GssapiCredStore keytab:/etc/http.keytab gssapisslonly on Require valid-user AllowOverride all Options -MultiViews </Directory>
</VirtualHost>
The magic of REMOTE_USER
–Since OpenNebula 4.14 a new Sunstone authentication mechanism
was included: remote
–No more username/passwords, it allows to use a 3rd party for
authentication (similar to X509 auth).
–OpenNebula will try to find a match between our REMOTE_USER and
“new_user@REALM” to map our account.
OpenNebula Conference – October 26th 2016 Barcelona 16
$ oneuser create new_user “new_user@REALM” --driver public
Sunstone – Kerberos authentication
OpenNebula Conference – October 26th 2016 Barcelona 17
KerberosKDC
HPC UGentAccounting
ONEconnectorUsers sync scriptREMOTE_USER
kinit username
Kerberised libvirt service
LINKS
OpenNebula Conference – October 26th 2016 Barcelona 18
Links
– OpenNebula remote user documentation:
● http://docs.opennebula.org/5.2/deployment/sunstone_setup/suns_auth
.html– FreeIPA:
● https://www.freeipa.org/page/Main_Page
– Enterprise desktop with FreeIPA and GNOME (FOSDEM):
● https://archive.fosdem.org/2016/schedule/event/freeipa_gnome/
OpenNebula Conference – October 26th 2016 Barcelona 19
Álvaro Simón GarcíaHPC and Cloud systems administrator
HPC UGent DICT
www.ugent.be/hpc/en
Ghent University
@HPCUGent
Ghent University