opennebulaconf 2016 - sunstone integration with freeipa using single sign by alvaro simon, ugent
TRANSCRIPT
![Page 1: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/1.jpg)
![Page 2: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/2.jpg)
Sunstone integration with FreeIPASunstone integration with FreeIPAUsing Single Sign OnUsing Single Sign On
ÁLVARO SIMÓN GARCÍA - HPC UGENT
OpenNebula Conference – October 26th 2016 Barcelona
![Page 3: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/3.jpg)
CONTENTS‒Who are we?‒Single Sign On requirements‒About FreeIPA‒Howto Kerberise Sunstone‒Links
![Page 4: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/4.jpg)
WHO ARE WE?
OpenNebula Conference – October 26th 2016 Barcelona 4
![Page 5: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/5.jpg)
HPC-UGent
– Team within ICT Department of Ghent University.
– HPC-UGent provides centralised scientific services, training and support
for researchers from Ghent university, industry and other knowledge
institutes.
– Partner of Flemish Supercomputer Center (Vlaams Supercomputer
Centrum - VSC)
OpenNebula Conference – October 26th 2016 Barcelona 5
![Page 6: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/6.jpg)
![Page 7: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/7.jpg)
SSO REQUIREMENTS
OpenNebula Conference – October 26th 2016 Barcelona 7
![Page 8: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/8.jpg)
SSO requirements
– It should provide access for the VSC users to the
HPC UGent cloud infrastructure.
–Must be secure. User connections must be encrypted
by host certificates.
–Disable username/password logins.
–Easy to use.
OpenNebula Conference – October 26th 2016 Barcelona 8
![Page 9: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/9.jpg)
ABOUT FREEIPA
OpenNebula Conference – October 26th 2016 Barcelona 9
![Page 10: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/10.jpg)
FreeIPA
–An integrated security information management solution based on
GNU/Linux, 389 Directory server, MIT Kerberos, NTP, DNS and
Dogtag technologies.
–Consist of a web interface and command-line administration tools.
–Provides centralized authentication, authorization and account
information.
–Provides redundancy and scalability.
–Single Sign On authentication is provided via the MIT Kerberos KDC.
OpenNebula Conference – October 26th 2016 Barcelona 10
![Page 11: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/11.jpg)
OpenNebula Conference – October 26th 2016 Barcelona 11
![Page 12: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/12.jpg)
OpenNebula Conference – October 26th 2016 Barcelona 12
![Page 13: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/13.jpg)
KERBERISE SUNSTONE
OpenNebula Conference – October 26th 2016 Barcelona 13
![Page 14: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/14.jpg)
Requirements
–A working Kerberos KDC service.
–Sunstone service executed by Passenger in Apache.
–A cron script/daemon (or IPA ldap) to synchronize the
internal OpenNebula users with the FreeIPA
database.● Used to enable/disable known users in OpenNebula db.
OpenNebula Conference – October 26th 2016 Barcelona 14
![Page 15: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/15.jpg)
Apache configuration example
OpenNebula Conference – October 26th 2016 Barcelona 15
LoadModule auth_gssapi_module modules/mod_auth_gssapi.so <VirtualHost *:443>
ServerName myhost.example.com PassengerUser oneadmin DocumentRoot /usr/lib/one/sunstone/public <Directory /usr/lib/one/sunstone/public> AuthType GSSAPI AuthName "Kerberos login" GssapiCredStore keytab:/etc/http.keytab gssapisslonly on Require valid-user AllowOverride all Options -MultiViews </Directory>
</VirtualHost>
![Page 16: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/16.jpg)
The magic of REMOTE_USER
–Since OpenNebula 4.14 a new Sunstone authentication mechanism
was included: remote
–No more username/passwords, it allows to use a 3rd party for
authentication (similar to X509 auth).
–OpenNebula will try to find a match between our REMOTE_USER and
“new_user@REALM” to map our account.
OpenNebula Conference – October 26th 2016 Barcelona 16
$ oneuser create new_user “new_user@REALM” --driver public
![Page 17: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/17.jpg)
Sunstone – Kerberos authentication
OpenNebula Conference – October 26th 2016 Barcelona 17
KerberosKDC
HPC UGentAccounting
ONEconnectorUsers sync scriptREMOTE_USER
kinit username
Kerberised libvirt service
![Page 18: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/18.jpg)
LINKS
OpenNebula Conference – October 26th 2016 Barcelona 18
![Page 19: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/19.jpg)
Links
– OpenNebula remote user documentation:
● http://docs.opennebula.org/5.2/deployment/sunstone_setup/suns_auth
.html– FreeIPA:
● https://www.freeipa.org/page/Main_Page
– Enterprise desktop with FreeIPA and GNOME (FOSDEM):
● https://archive.fosdem.org/2016/schedule/event/freeipa_gnome/
OpenNebula Conference – October 26th 2016 Barcelona 19
![Page 20: OpenNebulaConf 2016 - Sunstone integration with FreeIPA using Single Sign by Alvaro Simon, UGent](https://reader030.vdocuments.site/reader030/viewer/2022021506/58705ae41a28aba2118b66e1/html5/thumbnails/20.jpg)
Álvaro Simón GarcíaHPC and Cloud systems administrator
HPC UGent DICT
www.ugent.be/hpc/en
Ghent University
@HPCUGent
Ghent University