Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent

464 vues

Publié le

FreeIPA is an integrated Identity and Authentication solution for Linux and Unix environments. It provides a centralized authentication and authorization information and it also stores user data information such as user names, groups, hosts and many different objects to manage the security aspects of a network of computers. FreeIPA uses different technologies, but the core of the authentication system is based on MIT Kerberos technology. Thanks to this technology the authentication works on the basis of tickets to allow users or nodes communicating over a non-secure network to prove their identity to get access to different services. In this talk we will show how it is possible to integrate Sunstone authentication with the FreeIPA SSO thanks to the new Sunstone remote authentication plugin provided by OpenNebula. We will describe how to setup Sunstone in an easy way to include Kerberos authentication using Apache and Phusion Passenger module. This configuration approach also changes the security mechanism used by libvirt to establish the connection between hypervisors. We will explain how it is possible, using the host keytabs generated by FreeIPA, to improve the security between the hypervisors when we have to migrate virtual machines in an insecure network.

Publié dans : Technologie

OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent

  1. 1. Sunstone integration with FreeIPASunstone integration with FreeIPA Using Single Sign OnUsing Single Sign On ÁLVARO SIMÓN GARCÍA - HPC UGENT OpenNebula Conference – October 26th 2016 Barcelona
  2. 2. CONTENTS ‒ Who are we? ‒ Single Sign On requirements ‒ About FreeIPA ‒ Howto Kerberise Sunstone ‒ Links
  3. 3. WHO ARE WE? OpenNebula Conference – October 26th 2016 Barcelona 4
  4. 4. HPC-UGent – Team within ICT Department of Ghent University. – HPC-UGent provides centralised scientific services, training and support for researchers from Ghent university, industry and other knowledge institutes. – Partner of Flemish Supercomputer Center (Vlaams Supercomputer Centrum - VSC) OpenNebula Conference – October 26th 2016 Barcelona 5
  5. 5. SSO REQUIREMENTS OpenNebula Conference – October 26th 2016 Barcelona 7
  6. 6. SSO requirements – It should provide access for the VSC users to the HPC UGent cloud infrastructure. – Must be secure. User connections must be encrypted by host certificates. – Disable username/password logins. – Easy to use. OpenNebula Conference – October 26th 2016 Barcelona 8
  7. 7. ABOUT FREEIPA OpenNebula Conference – October 26th 2016 Barcelona 9
  8. 8. FreeIPA – An integrated security information management solution based on GNU/Linux, 389 Directory server, MIT Kerberos, NTP, DNS and Dogtag technologies. – Consist of a web interface and command-line administration tools. – Provides centralized authentication, authorization and account information. – Provides redundancy and scalability. – Single Sign On authentication is provided via the MIT Kerberos KDC. OpenNebula Conference – October 26th 2016 Barcelona 10
  9. 9. OpenNebula Conference – October 26th 2016 Barcelona 11
  10. 10. OpenNebula Conference – October 26th 2016 Barcelona 12
  11. 11. KERBERISE SUNSTONE OpenNebula Conference – October 26th 2016 Barcelona 13
  12. 12. Requirements – A working Kerberos KDC service. – Sunstone service executed by Passenger in Apache. – A cron script/daemon (or IPA ldap) to synchronize the internal OpenNebula users with the FreeIPA database. ● Used to enable/disable known users in OpenNebula db. OpenNebula Conference – October 26th 2016 Barcelona 14
  13. 13. Apache configuration example OpenNebula Conference – October 26th 2016 Barcelona 15 LoadModule auth_gssapi_module modules/mod_auth_gssapi.so <VirtualHost *:443> ServerName myhost.example.com PassengerUser oneadmin DocumentRoot /usr/lib/one/sunstone/public <Directory /usr/lib/one/sunstone/public> AuthType GSSAPI AuthName "Kerberos login" GssapiCredStore keytab:/etc/http.keytab gssapisslonly on Require valid-user AllowOverride all Options -MultiViews </Directory> </VirtualHost>
  14. 14. The magic of REMOTE_USER – Since OpenNebula 4.14 a new Sunstone authentication mechanism was included: remote – No more username/passwords, it allows to use a 3rd party for authentication (similar to X509 auth). – OpenNebula will try to find a match between our REMOTE_USER and “new_user@REALM” to map our account. OpenNebula Conference – October 26th 2016 Barcelona 16 $ oneuser create new_user “new_user@REALM” --driver public
  15. 15. Sunstone – Kerberos authentication OpenNebula Conference – October 26th 2016 Barcelona 17 Kerberos KDC HPC UGent Accounting ONEconnector Users sync script REMOTE_USER kinit username Kerberised libvirt service
  16. 16. LINKS OpenNebula Conference – October 26th 2016 Barcelona 18
  17. 17. Links – OpenNebula remote user documentation: ● http://docs.opennebula.org/5.2/deployment/sunstone_setup/suns_auth .html – FreeIPA: ● https://www.freeipa.org/page/Main_Page – Enterprise desktop with FreeIPA and GNOME (FOSDEM): ● https://archive.fosdem.org/2016/schedule/event/freeipa_gnome/ OpenNebula Conference – October 26th 2016 Barcelona 19
  18. 18. Álvaro Simón García HPC and Cloud systems administrator HPC UGent DICT E hpc@ugent.be www.ugent.be/hpc/en Ghent University @HPCUGent Ghent University

×