Mirantis OpenStack

  • Download

    Mirantis OpenStack is the zero lock-in distro that makes deploying your cloud easier, and more flexible, and more reliable.

  • On-Demand

    Mirantis OpenStack Express is on demand Private-Cloud-as-a-Service. Fire up your own cloud and deploy your workloads immediately.

Solutions Engineering

Services offerings for all phases of the OpenStack lifecycle, from green-field to migration to scale-out optimization, including Migration, Self-service IT as a Service (ITaaS), CI/CD. Learn More

Deployment and Operations

The deep bench of OpenStack infrrastructure experts has the proven experience across scores of deployments and uses cases, to ensure you get OpenStack running fast and delivering continuous ROI.

Driver Testing and Certification

Mirantis provides coding, testing and maintenance for OpenStack drivers to help infrastructure companies integrate with OpenStack and deliver innovation to cloud customers and operators. Learn More

Certification Exam

Know OpenStack? Prove it. An IT professional who has earned the Mirantis® Certificate of Expertise in OpenStack has demonstrated the skills, knowledge, and abilities needed to create, configure, and manage OpenStack environments.

OpenStack Bootcamp

New to OpenStack and need the skills to run an OpenStack cluster yourself? Our bestselling 3 day course gives you the hands-on knowledge you need.

OpenStack: Now

Your one stop for the latest news and technical updates from across OpenStack ecosystem and marketplace, for all the information you need stay on top of rapid the pace innovation.

Read the Latest

The #1 Pure Play OpenStack Company

Some vendors choose to “improve” OpenStack by salting it with their own exclusive technology. At Mirantis, we’re totally committed to keeping production open source clouds free of proprietary hooks or opaque packaging. When you choose to work with us, you stay in full control of your infrastructure roadmap.

Learn about Our Philosophy

OpenStack Nova and Dashboard authorization using existing LDAP

on May 27, 2011

Our current integration task involves using goSA as the central management utility. goSA internally uses the LDAP repository for all of its data. So we had to find a solution to make both OpenStack Nova and Dashboard authenticate and authorize users using goSA’s LDAP structures.

LDAP in Nova
Nova stores its users, projects and roles (global and per-project) in LDAP. Necessary schema files are in /nova/auth dir in the Nova source distribution. The following describes how Nova stores each of these object types.

Users are stored as objects with a novaUser class. They have mandatory accessKey,secretKey and isNovaAdmin (self-explanatory) attributes along with customizable attributes set by flags ldap_user_id_attribute (uid by default) andldap_user_name_attribute (cn). To use the latter ones, it assigns person,organizationalPerson and inetOrgPerson to all newly created users. All users are stored and searched for in the LDAP subtree defined by ldap_user_subtree andldap_user_unit.

If you want to manage user creation and deletion from some other place (such as goSA in our case), you can set the ldap_user_modify_only flag to True.

Projects are objects with the widely used groupOfNames class in the subtree defined by the ldap_project_subtree flag. Nova uses the cn attribute for the project name,description for description, member for the list of members’ DNs, owner for the project manager’s DN. All of these attributes are common for user (and any object) groups management, so it’s easy to integrate Nova projects with an existing user groups management system (e.g. goSA).

Roles are also stored as groupOfNames, with similar cn, description and memberattributes. Nova has hard-coded roles: cloudadmin, itsec, sysadmin, netadmin,developer. Global roles are stored in a subtree defined by role_project_subtree, cn’s are defined by the ldap_cloudadmin, ldap_itsec, ldap_sysadmin, ldap_netadmin andldap_developer flags respectively. Per-project roles are stored right under the project’s DN with cn set to the role’s name.

LDAP in Dashboard
To make Dashboard authorize users in LDAP, I use the django-ldap-auth module.
First, you need to install it using your preferred package manager (easy_install django-auth-ldap is sufficient). Second, you need to add it to Dashboard’slocal_settings.py in AUTHENTICATION_BACKENDS and set upAUTH_LDAP_SERVER_URI to your LDAP URI and AUTH_LDAP_USER_DN_TEMPLATE to Python’s template of users’ DN; in our case, it should be”ldap_user_id_attribute=%(user)s,ldap_user_subtree“.

Note that in local_settings.py you override default settings, so if you want to just add a backend to AUTHENTICATION_BACKENDS, you should use +=. Also if you want to totally disable ModelBackend like we did, you can use = as well.

Also note that to make Dashboard work, you’ll have to create an account in Nova with admin privileges and a project with the same name as the account. You can either set all parameters in LDAP by hand or add it using nova-manage user admin using one of usernames from LDAP.

Configuration examples
Let’s say goSA is managing the organization exampleorg in the domain example.comon LDAP at ldap://ldap.example.com. To make use of its users and groups for Nova’s user, projects and roles, we wrote configs like this:

--auth_driver=nova.auth.ldapdriver.LdapDriver
--ldap_url=ldap://ldap.example.com
--ldap_user_dn=<<ldap_user>>
--ldap_password=<<pass>>
--ldap_user_unit=people
--ldap_user_subtree=ou=people,o=exampleorg,dc=example,dc=com
--ldap_user_modify_only=True
--ldap_project_subtree=ou=groups,o=exampleorg,dc=example,dc=com
--role_project_subtree=ou=groups,o=exampleorg,dc=example,dc=com
AUTH_LDAP_SERVER_URI = "ldap://ldap.example.com"
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=people,o=exampleorg,dc=example,dc=com"
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
)

By the way, to make goSA the central user management utility, we created a special plugin that manages Nova users. The plugin can be found here. It looks like this:

gosa-nova

1 comment

One Response

  1. Bas Tichelaar

    Nice blogpost, thanks! Question, are you also managing the projects with GOsa? As I know GOsa works with gosaGroupOfNames and has currently no way of specifying a group owner…

    October 5, 2011 13:37

Some HTML is OK


or, reply to this post via trackback.