On 12/20/2010 07:56 AM, Hugh Brock wrote:
On Fri, Dec 17, 2010 at 08:24:57PM -0500, Mohammed Morsi wrote:
> <snip>
This looks great Mo. I have one question: Have you looked at all at
IPA certificate manager/PKI management capability? I would have
thought there was a way to automate the distribution of ssl certs much
like the automated distribution of kerb keytabs.
Yes, FreeIPA supports this capability
http://freeipa.org/page/Certificate_Management
We would still need to setup kerberos keytabs (through FreeIPA) to
authenticate the clients requesting the certificates, but that should be
straightforward to do in the recipe.
Also, did you look specifically at dealing with qmf and kerberos?
QMF supports kerberos, but at the QPID broker level. AFAIK there is
currently no way to use kerberos to manage which objects and methods on
those objects are available to which users, but for now this probably is
unneeded and what is supported is good enough
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/1.3/html/Messagi...
Finally, we're going to need understanding of and documentation
of how
we would integrate with an org's existing Kerberos infrastructure
(linux/unix only of course, Active Directory can be later).
AFAIK this shouldn't be an issue, if a Kerberos instance is already in
place, all we need to do is add principles for the various deltacloud
services and clients, and Kerberos should handle the rest. We could
provide a script as part of the recipe to configure an existing Kerberos
instance.
If you would, please look at the above issues and send out a
revision
of this as soon as you can.
From your feedback, I think three additional tasks are needed,
- instead of setting up and assigning the ssl certificates manually,
we need to setup FreeIPA and Kerberos to authenticate the end points
requesting them and automatically hand them out
- we need to configure the qpid broker and client to make use of
Kerberos policies when determining what has access to those services
- we need to provide a means to setup additional Kerberos policies
as part of the recipe, not touching existing ones, should Kerberos
already be setup. If Kerberos is installed but not FreeIPA, we need to
only install the additional FreeIPA components and/or provide a means to
migrate from the existing Kerberos setup to the new one.
I believe this covers it. If anything else looks off shout out, else
I'll start implementing this in conjunction w/ Mike's recipe feedback.
-Mo