On 12/20/2010 07:56 AM, Hugh Brock wrote: > On Fri, Dec 17, 2010 at 08:24:57PM -0500, Mohammed Morsi wrote: >> <snip> > This looks great Mo. I have one question: Have you looked at all at > IPA certificate manager/PKI management capability? I would have > thought there was a way to automate the distribution of ssl certs much > like the automated distribution of kerb keytabs.
Yes, FreeIPA supports this capability http://freeipa.org/page/Certificate_Management We would still need to setup kerberos keytabs (through FreeIPA) to authenticate the clients requesting the certificates, but that should be straightforward to do in the recipe. > Also, did you look specifically at dealing with qmf and kerberos? QMF supports kerberos, but at the QPID broker level. AFAIK there is currently no way to use kerberos to manage which objects and methods on those objects are available to which users, but for now this probably is unneeded and what is supported is good enough http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/1.3/html/Messaging_User_Guide/chap-Messaging_User_Guide-Security.html > Finally, we're going to need understanding of and documentation of how > we would integrate with an org's existing Kerberos infrastructure > (linux/unix only of course, Active Directory can be later). AFAIK this shouldn't be an issue, if a Kerberos instance is already in place, all we need to do is add principles for the various deltacloud services and clients, and Kerberos should handle the rest. We could provide a script as part of the recipe to configure an existing Kerberos instance. > If you would, please look at the above issues and send out a revision > of this as soon as you can. From your feedback, I think three additional tasks are needed, - instead of setting up and assigning the ssl certificates manually, we need to setup FreeIPA and Kerberos to authenticate the end points requesting them and automatically hand them out - we need to configure the qpid broker and client to make use of Kerberos policies when determining what has access to those services - we need to provide a means to setup additional Kerberos policies as part of the recipe, not touching existing ones, should Kerberos already be setup. If Kerberos is installed but not FreeIPA, we need to only install the additional FreeIPA components and/or provide a means to migrate from the existing Kerberos setup to the new one. I believe this covers it. If anything else looks off shout out, else I'll start implementing this in conjunction w/ Mike's recipe feedback. -Mo _______________________________________________ deltacloud-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/deltacloud-devel
