Kerberos is a computer network authentication protocol which works on the basis of ‘tickets’ to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is the basis for authentication to AFS.
At a Glance¶
OpenStack runs a Kerberos
realm contains a
Key Distribution Center or KDC which is spread
across a primary and a replica, as well as an admin server which only
runs on the primary.
Most of the configuration is in Ansible, but management of user
accounts, known as
principals, is a manual task for
Realm creation is exercised by the Ansible roles during testing, but is not expected to be used in production (because we have an active realm/database).
The general process is:
create the new Kerberos database on the primary
distribute the database
stashfile from the primary to replicas, to allow them to unencrypt the database propogated to them. This is created from a master key kept as a secret.
create an admin user (password saved in file on primary server)
add host principals for the primary and replica servers
create keytabs on primary and replica servers (via the admin user), which allows them to authenticate to each other.
setup database propogation from primary to replicas with
kprop(primary-side push) and
In a disaster recovery situation, we can provision a fresh realm and recover principals from backup dumps.
Adding A User Principal¶
First, ensure the user has an entry in Ansible so they have a Unix shell account on our hosts. SSH access is not necessary, but keeping track of usernames and uids with account entries is necessary.
If you are already an admin, you should authenicate with
<username>/admin. Otherwise you can use the
kadmin) on the primary server, which by-passes
authenication and writes to the database directly.
kadmin to add the principal like so:
kadmin: addprinc $USERNAME@OPENSTACK.ORG
Where $USERNAME is the lower-case username of their unix account in Ansible. OPENSTACK.ORG should be capitalized.
If you are adding an admin principal, use username/admin@OPENSTACK.ORG. Admins should additionally have regular user principals.
Adding A Service Principal¶
A service principal is one that corresponds to an application rather than a person. There is no difference in their implementation, only in conventions around how they are created and used. Service principals are created without passwords and keytab files are used instead for authentication. The program k5start can use keytab files to automatically obtain Kerberos credentials (and AFS if needed).
Add the service principal to Kerberos using kadmin (while authenticated as a Kerberos admin) or kadmin.local on the kdc:
kadmin: addprinc -randkey service/$NAME@OPENSTACK.ORG
Where $NAME is the lower-case name of the service. OPENSTACK.ORG should be capitalized.
Then save the principal’s keytab:
kadmin: ktadd -k /path/to/$NAME.keytab service/$NAME@OPENSTACK.ORG
ktadd is run, the key is rotated and
previous keytabs are invalidated.
These keytabs are then usually converted to base-64 and stored as
secret variables, and deployed to hosts via Ansible.
mirror-update is probably a good example.
Resetting A User Principal’s Password¶
If you’ve forgotten your user password (it happens!) then from a
shell on one of the KDCs, execute
sudo kadmin.local and use the
cpw $USERNAME@OPENSTACK.ORG command and enter your new password
twice as prompted. If you need to reset your admin principal, use
cpw $USERNAME/admin@OPENSTACK.ORG instead.
No Service Outage Server Maintenance¶
Should you need perform maintenance on the Kerberos server that requires taking Kerberos processes offline you can do this by performing your updates on a single server at a time.
kdc03.openstack.org is our primary server and kdc04.openstack.org is the replica. Perform your maintenance on kdc04.openstack.org first. Then once that is done we can prepare for taking down the primary. On kdc03.openstack.org run:
You should see:
Database propagation to kdc04.openstack.org: SUCCEEDED
Once this is done the replica is ready and we can take kdc03 offline. When kdc03 is back online rerun run-kprop.sh to ensure everything is working again.
Kerberos uses the following DNS entries:
_kpasswd._udp.openstack.org. 300 IN SRV 0 0 464 kdc03.openstack.org. _kerberos-adm._tcp.openstack.org. 300 IN SRV 0 0 749 kdc03.openstack.org. _kerberos-master._udp.openstack.org. 300 IN SRV 0 0 88 kdc03.openstack.org. _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc03.openstack.org. _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc04.openstack.org. _kerberos.openstack.org. 300 IN TXT "OPENSTACK.ORG"
Be sure to update them if kdc servers change. We also maintain a CNAME for convenience which points to the master kdc:
kdc.openstack.org. 300 IN CNAME kdc03.openstack.org.