LDAP/KRB5 authentication mode.

LDAP/KRB5 authentication mode.

[Daniel Oliveira]

Hi, 

I've talking to Kefu/Badone about the work in question and would like to help with that. 

Please, who should I talk to in order to understand where we are at and then start working on it? 

Thanks,
-Daniel 

Re: LDAP/KRB5 authentication mode

[Daniel Oliveira]

Hi Team, 

I haven't heard anything back on this, so just wondering if we know who
is working on this part of the project so we could help out?!

Thanks,
-Daniel 


On Thu, 2016-07-14 at 14:51 -0600, Daniel Oliveira wrote:
> Hi, 
> 
> I've talking to Kefu/Badone about the work in question and would like
> to help with that. 
> 
> Please, who should I talk to in order to understand where we are at
> and then start working on it? 
> 
> Thanks,
> -Daniel 
> 

Re: LDAP/KRB5 authentication mode

[Matt Benjamin]

Hi Daniel,

Sorry you haven't gotten a response.  There is work ongoing in the RGW standup related to using LDAP and krb5 (via STS) authentication systems in -RGW-.  Please consider coming to an RGW standup to sync up and discuss (though some details like design writeups of course come to this list).

If your interest is in general ceph and ceph messaging, I defer to others and other discussion--e.g., Msgr2.

Regards,

Matt

----- Original Message -----
> From: "Daniel Oliveira" <doliveira@suse.com>
> To: ceph-devel@vger.kernel.org
> Cc: sweil@redhat.com
> Sent: Tuesday, July 19, 2016 1:38:31 PM
> Subject: Re: LDAP/KRB5 authentication mode
> 
> Hi Team,
> 
> I haven't heard anything back on this, so just wondering if we know who
> is working on this part of the project so we could help out?!
> 
> Thanks,
> -Daniel
> 
> 
> On Thu, 2016-07-14 at 14:51 -0600, Daniel Oliveira wrote:
> > Hi,
> > 
> > I've talking to Kefu/Badone about the work in question and would like
> > to help with that.
> > 
> > Please, who should I talk to in order to understand where we are at
> > and then start working on it?
> > 
> > Thanks,
> > -Daniel
> > 
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103

http://www.redhat.com/en/technologies/storage

tel.  734-707-0660
fax.  734-769-8938
cel.  734-216-5309

Re: LDAP/KRB5 authentication mode

[Gregory Farnum]

On Tue, Jul 19, 2016 at 12:47 PM, Matt Benjamin <mbenjamin@redhat.com> wrote:
> Hi Daniel,
>
> Sorry you haven't gotten a response.  There is work ongoing in the RGW standup related to using LDAP and krb5 (via STS) authentication systems in -RGW-.  Please consider coming to an RGW standup to sync up and discuss (though some details like design writeups of course come to this list).
>
> If your interest is in general ceph and ceph messaging, I defer to others and other discussion--e.g., Msgr2.

Yeah, I don't think any work has been done on integrating Kerberos
into the monitor for log-in and getting ceph tickets etc yet. :(
-Greg

>
> Regards,
>
> Matt
>
> ----- Original Message -----
>> From: "Daniel Oliveira" <doliveira@suse.com>
>> To: ceph-devel@vger.kernel.org
>> Cc: sweil@redhat.com
>> Sent: Tuesday, July 19, 2016 1:38:31 PM
>> Subject: Re: LDAP/KRB5 authentication mode
>>
>> Hi Team,
>>
>> I haven't heard anything back on this, so just wondering if we know who
>> is working on this part of the project so we could help out?!
>>
>> Thanks,
>> -Daniel
>>
>>
>> On Thu, 2016-07-14 at 14:51 -0600, Daniel Oliveira wrote:
>> > Hi,
>> >
>> > I've talking to Kefu/Badone about the work in question and would like
>> > to help with that.
>> >
>> > Please, who should I talk to in order to understand where we are at
>> > and then start working on it?
>> >
>> > Thanks,
>> > -Daniel
>> >
>> --
>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
> --
> Matt Benjamin
> Red Hat, Inc.
> 315 West Huron Street, Suite 140A
> Ann Arbor, Michigan 48103
>
> http://www.redhat.com/en/technologies/storage
>
> tel.  734-707-0660
> fax.  734-769-8938
> cel.  734-216-5309
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: LDAP/KRB5 authentication mode

[Brad Hubbard]

On Wed, Jul 20, 2016 at 6:34 AM, Gregory Farnum <gfarnum@redhat.com> wrote:
> On Tue, Jul 19, 2016 at 12:47 PM, Matt Benjamin <mbenjamin@redhat.com> wrote:
>> Hi Daniel,
>>
>> Sorry you haven't gotten a response.  There is work ongoing in the RGW standup related to using LDAP and krb5 (via STS) authentication systems in -RGW-.  Please consider coming to an RGW standup to sync up and discuss (though some details like design writeups of course come to this list).
>>
>> If your interest is in general ceph and ceph messaging, I defer to others and other discussion--e.g., Msgr2.
>
> Yeah, I don't think any work has been done on integrating Kerberos
> into the monitor for log-in and getting ceph tickets etc yet. :(
> -Greg

I believe Daniel is referring to Msgr2 here.

Who's the best contact for auth integration work in regards to Msgr2?

>
>>
>> Regards,
>>
>> Matt
>>
>> ----- Original Message -----
>>> From: "Daniel Oliveira" <doliveira@suse.com>
>>> To: ceph-devel@vger.kernel.org
>>> Cc: sweil@redhat.com
>>> Sent: Tuesday, July 19, 2016 1:38:31 PM
>>> Subject: Re: LDAP/KRB5 authentication mode
>>>
>>> Hi Team,
>>>
>>> I haven't heard anything back on this, so just wondering if we know who
>>> is working on this part of the project so we could help out?!
>>>
>>> Thanks,
>>> -Daniel
>>>
>>>
>>> On Thu, 2016-07-14 at 14:51 -0600, Daniel Oliveira wrote:
>>> > Hi,
>>> >
>>> > I've talking to Kefu/Badone about the work in question and would like
>>> > to help with that.
>>> >
>>> > Please, who should I talk to in order to understand where we are at
>>> > and then start working on it?
>>> >
>>> > Thanks,
>>> > -Daniel
>>> >
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>
>> --
>> Matt Benjamin
>> Red Hat, Inc.
>> 315 West Huron Street, Suite 140A
>> Ann Arbor, Michigan 48103
>>
>> http://www.redhat.com/en/technologies/storage
>>
>> tel.  734-707-0660
>> fax.  734-769-8938
>> cel.  734-216-5309
>> --
>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Cheers,
Brad

Re: LDAP/KRB5 authentication mode

[Gregory Farnum]

On Tue, Jul 19, 2016 at 5:28 PM, Brad Hubbard <bhubbard@redhat.com> wrote:
> On Wed, Jul 20, 2016 at 6:34 AM, Gregory Farnum <gfarnum@redhat.com> wrote:
>> On Tue, Jul 19, 2016 at 12:47 PM, Matt Benjamin <mbenjamin@redhat.com> wrote:
>>> Hi Daniel,
>>>
>>> Sorry you haven't gotten a response.  There is work ongoing in the RGW standup related to using LDAP and krb5 (via STS) authentication systems in -RGW-.  Please consider coming to an RGW standup to sync up and discuss (though some details like design writeups of course come to this list).
>>>
>>> If your interest is in general ceph and ceph messaging, I defer to others and other discussion--e.g., Msgr2.
>>
>> Yeah, I don't think any work has been done on integrating Kerberos
>> into the monitor for log-in and getting ceph tickets etc yet. :(
>> -Greg
>
> I believe Daniel is referring to Msgr2 here.
>
> Who's the best contact for auth integration work in regards to Msgr2?

There are msgr2 features designed to support this, but it's mostly the
same thing. Or at least, you certainly aren't going to be checking
external-server kerberos tickets every time a client connects to an
OSD — if you're running a kerberos server, that client will
authenticate on the monitor via kerberos, and then the monitor will
give it a ceph-specific thing for connecting to other servers. :)

Anyway, even if they weren't, I don't think any real work's been done
beyond speccing out the protocol.
-Greg
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: LDAP/KRB5 authentication mode

[Brad Hubbard]

On Tue, Jul 19, 2016 at 05:41:20PM -0700, Gregory Farnum wrote:
> On Tue, Jul 19, 2016 at 5:28 PM, Brad Hubbard <bhubbard@redhat.com> wrote:
> > On Wed, Jul 20, 2016 at 6:34 AM, Gregory Farnum <gfarnum@redhat.com> wrote:
> >> On Tue, Jul 19, 2016 at 12:47 PM, Matt Benjamin <mbenjamin@redhat.com> wrote:
> >>> Hi Daniel,
> >>>
> >>> Sorry you haven't gotten a response.  There is work ongoing in the RGW standup related to using LDAP and krb5 (via STS) authentication systems in -RGW-.  Please consider coming to an RGW standup to sync up and discuss (though some details like design writeups of course come to this list).
> >>>
> >>> If your interest is in general ceph and ceph messaging, I defer to others and other discussion--e.g., Msgr2.
> >>
> >> Yeah, I don't think any work has been done on integrating Kerberos
> >> into the monitor for log-in and getting ceph tickets etc yet. :(
> >> -Greg
> >
> > I believe Daniel is referring to Msgr2 here.
> >
> > Who's the best contact for auth integration work in regards to Msgr2?
> 
> There are msgr2 features designed to support this, but it's mostly the
> same thing. Or at least, you certainly aren't going to be checking
> external-server kerberos tickets every time a client connects to an
> OSD — if you're running a kerberos server, that client will
> authenticate on the monitor via kerberos, and then the monitor will
> give it a ceph-specific thing for connecting to other servers. :)
> 
> Anyway, even if they weren't, I don't think any real work's been done
> beyond speccing out the protocol.

Perhaps a little background is in order heere.

Recently Daniel approached Kefu and myself on IRC having just completed a
project and looking for his next task. Since he had history working in the
Identity Management space we suggested that leveraging his existing talents in
that area may be a good idea and suggested he send an email to the list
sounding out the best people to talk to in regard to that area.

If we have no projects currently that relate to IDM with work under way then I
guess Daniel will need to look in another area?


> -Greg

-- 
Cheers,
Brad
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: LDAP/KRB5 authentication mode

[Gregory Farnum]

On Tue, Jul 19, 2016 at 5:51 PM, Brad Hubbard <bhubbard@redhat.com> wrote:
> On Tue, Jul 19, 2016 at 05:41:20PM -0700, Gregory Farnum wrote:
>> On Tue, Jul 19, 2016 at 5:28 PM, Brad Hubbard <bhubbard@redhat.com> wrote:
>> > On Wed, Jul 20, 2016 at 6:34 AM, Gregory Farnum <gfarnum@redhat.com> wrote:
>> >> On Tue, Jul 19, 2016 at 12:47 PM, Matt Benjamin <mbenjamin@redhat.com> wrote:
>> >>> Hi Daniel,
>> >>>
>> >>> Sorry you haven't gotten a response.  There is work ongoing in the RGW standup related to using LDAP and krb5 (via STS) authentication systems in -RGW-.  Please consider coming to an RGW standup to sync up and discuss (though some details like design writeups of course come to this list).
>> >>>
>> >>> If your interest is in general ceph and ceph messaging, I defer to others and other discussion--e.g., Msgr2.
>> >>
>> >> Yeah, I don't think any work has been done on integrating Kerberos
>> >> into the monitor for log-in and getting ceph tickets etc yet. :(
>> >> -Greg
>> >
>> > I believe Daniel is referring to Msgr2 here.
>> >
>> > Who's the best contact for auth integration work in regards to Msgr2?
>>
>> There are msgr2 features designed to support this, but it's mostly the
>> same thing. Or at least, you certainly aren't going to be checking
>> external-server kerberos tickets every time a client connects to an
>> OSD — if you're running a kerberos server, that client will
>> authenticate on the monitor via kerberos, and then the monitor will
>> give it a ceph-specific thing for connecting to other servers. :)
>>
>> Anyway, even if they weren't, I don't think any real work's been done
>> beyond speccing out the protocol.
>
> Perhaps a little background is in order heere.
>
> Recently Daniel approached Kefu and myself on IRC having just completed a
> project and looking for his next task. Since he had history working in the
> Identity Management space we suggested that leveraging his existing talents in
> that area may be a good idea and suggested he send an email to the list
> sounding out the best people to talk to in regard to that area.
>
> If we have no projects currently that relate to IDM with work under way then I
> guess Daniel will need to look in another area?

Unless he wants to drive the monitor integration? It's not really my
charge, but obviously we have discussed it several times so there's
some guidance available. (Sage and Matt, probably.)

Otherwise, yeah, better find a project that has actual development and
not just design work going on so far. :)
-Greg
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: LDAP/KRB5 authentication mode

[Brad Hubbard]

On Wed, Jul 20, 2016 at 10:54 AM, Gregory Farnum <gfarnum@redhat.com> wrote:
> On Tue, Jul 19, 2016 at 5:51 PM, Brad Hubbard <bhubbard@redhat.com> wrote:
>> On Tue, Jul 19, 2016 at 05:41:20PM -0700, Gregory Farnum wrote:
>>> On Tue, Jul 19, 2016 at 5:28 PM, Brad Hubbard <bhubbard@redhat.com> wrote:
>>> > On Wed, Jul 20, 2016 at 6:34 AM, Gregory Farnum <gfarnum@redhat.com> wrote:
>>> >> On Tue, Jul 19, 2016 at 12:47 PM, Matt Benjamin <mbenjamin@redhat.com> wrote:
>>> >>> Hi Daniel,
>>> >>>
>>> >>> Sorry you haven't gotten a response.  There is work ongoing in the RGW standup related to using LDAP and krb5 (via STS) authentication systems in -RGW-.  Please consider coming to an RGW standup to sync up and discuss (though some details like design writeups of course come to this list).
>>> >>>
>>> >>> If your interest is in general ceph and ceph messaging, I defer to others and other discussion--e.g., Msgr2.
>>> >>
>>> >> Yeah, I don't think any work has been done on integrating Kerberos
>>> >> into the monitor for log-in and getting ceph tickets etc yet. :(
>>> >> -Greg
>>> >
>>> > I believe Daniel is referring to Msgr2 here.
>>> >
>>> > Who's the best contact for auth integration work in regards to Msgr2?
>>>
>>> There are msgr2 features designed to support this, but it's mostly the
>>> same thing. Or at least, you certainly aren't going to be checking
>>> external-server kerberos tickets every time a client connects to an
>>> OSD — if you're running a kerberos server, that client will
>>> authenticate on the monitor via kerberos, and then the monitor will
>>> give it a ceph-specific thing for connecting to other servers. :)
>>>
>>> Anyway, even if they weren't, I don't think any real work's been done
>>> beyond speccing out the protocol.
>>
>> Perhaps a little background is in order heere.
>>
>> Recently Daniel approached Kefu and myself on IRC having just completed a
>> project and looking for his next task. Since he had history working in the
>> Identity Management space we suggested that leveraging his existing talents in
>> that area may be a good idea and suggested he send an email to the list
>> sounding out the best people to talk to in regard to that area.
>>
>> If we have no projects currently that relate to IDM with work under way then I
>> guess Daniel will need to look in another area?
>
> Unless he wants to drive the monitor integration? It's not really my
> charge, but obviously we have discussed it several times so there's
> some guidance available. (Sage and Matt, probably.)
>
> Otherwise, yeah, better find a project that has actual development and
> not just design work going on so far. :)

Thanks for the insight Greg.

> -Greg



-- 
Cheers,
Brad
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html