git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Application Credentials with federated users


Hi Alex,

In my experience it worked fine, with a major limitation about groups.

This, merged in ussri, should have fixed the group issues:
https://bugs.launchpad.net/keystone/+bug/1809116
I had planned on testing that by now, but that work hasn't been
started/agreed yet.

My current workaround for not having groups is for the federation
mapping to add users directly into projects:
https://github.com/RSE-Cambridge/cumulus-config

I planned to map from an OIDC group attribute into a specific concrete
project, but the above puts everyone in a holding project and does
static role assignments, due to issues with group management in the
OIDC provider.

As an aside, this the way were were configuring keystone, incase that
is important to making things work:
https://github.com/RSE-Cambridge/cumulus-kayobe-config/tree/train-preprod/etc/kayobe/kolla/config/keystone
https://github.com/RSE-Cambridge/cumulus-kayobe-config/blob/0dc43a0f5c7b76f6913dea0fdda2b1674511c3f4/etc/kayobe/kolla.yml#L122

Horizon and the CLI tools in train didn't really agree, I think the
auth url is now missing "/v3", but I believe that is fixed in latest
keystoneauth client:
https://bugs.launchpad.net/keystoneauth/+bug/1876317

Hopefully that helps?

Thanks,
John

On Tue, 8 Sep 2020 at 16:33, Alexander Dibbo - UKRI STFC
<alexander.dibbo at stfc.ac.uk> wrote:
>
> Hi All,
>
>
>
> Is it possible for a user logging in via an oidc provider to generate application credentials?
>
>
>
> When I try it I get an error about there being no role for the user in the project.
>
>
>
> We map the users to groups based on assertions in their tokens.
>
>
>
> It looks like it would work if we mapped users individually to local users in keystone and then gave those roles. I would prefer to avoid using per user mappings for this if possible as it would be a lot of extra work for my team.
>
>
>
> Regards
>
>
>
> Alexander Dibbo â?? Cloud Architect / Cloud Operations Group Leader
>
> For STFC Cloud Documentation visit https://stfc-cloud-docs.readthedocs.io
>
> To raise a support ticket with the cloud team please email cloud-support at gridpp.rl.ac.uk
>
> To receive notifications about the service please subscribe to our mailing list at: https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=STFC-CLOUD
>
> To receive fast notifications or to discuss usage of the cloud please join our Slack: https://stfc-cloud.slack.com/
>
>
>
> This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to UKRI business are solely those of the author and do not represent the views of UKRI.