2023-07-05 19:30:09 |
Corey Bryant |
bug |
|
|
added bug |
2023-07-05 19:33:56 |
Corey Bryant |
description |
While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section:
openstack user show --domain service_domain -f value -c id nova
The reason why is because charm-keystone creates two services projects, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
What we have now:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = default
user_domain_id = default
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
What we should have:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = <uuid of service_domain>
user_domain_id = <uuid of service_domain>
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
[1] charm-keystone creates two services projects, one for the service_domain, and the other for the Default domain
root@f1:~# openstack project list
+----------------------------------+--------------------------------------------------+
| ID | Name |
+----------------------------------+--------------------------------------------------+
| 2e2dfd384b3c475db46829300cbbbf96 | admin |
| 605138c74dca4d56a6dec2c6d897b5aa | services |
| 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 |
| b51818605b4d4ef78f44f53c43830e0c | services |
| c8126e3e9461487abe790371304d304b | demoProject |
| fdb19396eb664734bb2804f2d4df12ed | admin |
+----------------------------------+--------------------------------------------------+
root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | 5729b883ec844bc78c7c050fd4e0826e |
| enabled | True |
| id | 605138c74dca4d56a6dec2c6d897b5aa |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | 5729b883ec844bc78c7c050fd4e0826e |
| tags | [] |
+-------------+----------------------------------+
root@f1:~# openstack domain list
+----------------------------------+----------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+--------------------+
| 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju |
| 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju |
| 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain |
| default | Default | True | The default domain |
+----------------------------------+----------------+---------+--------------------+
root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | default |
| enabled | True |
| id | b51818605b4d4ef78f44f53c43830e0c |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
These are created in charm-keystone/hooks/keystone_utils.py at:
1641 def _ensure_initial_admin(config):
1642 ...
1653 if get_api_version() > 2:
1654 ...
1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN)
1662 ...
1666 ...
1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN)
[2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
commit 5de1770931e886732870da1909f08279a0b804b4
Author: Frode Nordahl <frode.nordahl@canonical.com>
Date: Wed Nov 2 13:21:07 2016 +0100
Create service credentials in SERVICE_DOMAIN
Cleanup code that references users, projects or domains without
necessary scoping or filtering throughout the charm. Add logging
of domain name in contexts where this is relevant.
Tighten rule:service_role to require role:service and token scoped
to project config('service-tenant') created in SERVICE_DOMAIN. This
ensures that if you have a deployment with end-user access to assign
roles within their own domains they will not gain privileged access
simply by assigning the service role to one of their own users.
Allow users authorized by rule:service_role to perform
identity:list_projects. This is required to allow Ceilometer
to operate without Admin privileges.
Services are given a user in project config('service-tenant') in
SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka
Keystone v3 policy the 'service' role is sufficient for services to
validate tokens.
Services are also given a user in project config('service-tenant') in
DEFAULT_DOMAIN to support services still configured with v2.0
authentication / authorization.
This will allow us to transition from v2.0 based authentication /
authorization and existing services and charms will continue to
operate as before. This will also allow the end-user to roll their
deployment up to api_version 3 and back to api_version 2 as needed.
Services and charms that has made the transition to fully use the
v3 API for authentication and authorization will gain full access to
domains and projects across the deployment. The first charm to make
use of this is charm-ceilometer.
Closes-Bug: 1636098
Change-Id: If1518029c43476a5e14bf94596197eabe663499c |
While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section:
openstack user show --domain service_domain -f value -c id nova
The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
What we have now:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = default
user_domain_id = default
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
What we should have:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = <uuid of service_domain>
user_domain_id = <uuid of service_domain>
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
[1] charm-keystone creates two services projects, one for the service_domain, and the other for the Default domain
root@f1:~# openstack user list --domain service_domain
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| b14d94f1594743198d1c7c3be722a1c4 | nova |
| 5ce32364e6a043ad9642f747a2e380de | glance |
| 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 |
| ed3ba0b081e641d0906d517ca99c37ff | placement |
| ad43075877b0422999f7971f2ca772b1 | neutron |
+----------------------------------+-----------+
root@f1:~# openstack user list --domain Default
+----------------------------------+-----------------------+
| ID | Name |
+----------------------------------+-----------------------+
| 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin |
| 1eabe59fe8f54e24a503213de7c06ec2 | nova |
| 6fd21eba472b4451a261625aefd79cbc | glance |
| b72ef27dd14d409ba8341b565ea718fb | cinderv3 |
| 9298849a6c694e079111a3ccab8e9c25 | placement |
| 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron |
+----------------------------------+-----------------------+
root@f1:~# openstack project list
+----------------------------------+--------------------------------------------------+
| ID | Name |
+----------------------------------+--------------------------------------------------+
| 2e2dfd384b3c475db46829300cbbbf96 | admin |
| 605138c74dca4d56a6dec2c6d897b5aa | services |
| 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 |
| b51818605b4d4ef78f44f53c43830e0c | services |
| c8126e3e9461487abe790371304d304b | demoProject |
| fdb19396eb664734bb2804f2d4df12ed | admin |
+----------------------------------+--------------------------------------------------+
root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | 5729b883ec844bc78c7c050fd4e0826e |
| enabled | True |
| id | 605138c74dca4d56a6dec2c6d897b5aa |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | 5729b883ec844bc78c7c050fd4e0826e |
| tags | [] |
+-------------+----------------------------------+
root@f1:~# openstack domain list
+----------------------------------+----------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+--------------------+
| 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju |
| 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju |
| 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain |
| default | Default | True | The default domain |
+----------------------------------+----------------+---------+--------------------+
root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | default |
| enabled | True |
| id | b51818605b4d4ef78f44f53c43830e0c |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
These are created in charm-keystone/hooks/keystone_utils.py at:
1641 def _ensure_initial_admin(config):
1642 ...
1653 if get_api_version() > 2:
1654 ...
1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN)
1662 ...
1666 ...
1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN)
[2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
commit 5de1770931e886732870da1909f08279a0b804b4
Author: Frode Nordahl <frode.nordahl@canonical.com>
Date: Wed Nov 2 13:21:07 2016 +0100
Create service credentials in SERVICE_DOMAIN
Cleanup code that references users, projects or domains without
necessary scoping or filtering throughout the charm. Add logging
of domain name in contexts where this is relevant.
Tighten rule:service_role to require role:service and token scoped
to project config('service-tenant') created in SERVICE_DOMAIN. This
ensures that if you have a deployment with end-user access to assign
roles within their own domains they will not gain privileged access
simply by assigning the service role to one of their own users.
Allow users authorized by rule:service_role to perform
identity:list_projects. This is required to allow Ceilometer
to operate without Admin privileges.
Services are given a user in project config('service-tenant') in
SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka
Keystone v3 policy the 'service' role is sufficient for services to
validate tokens.
Services are also given a user in project config('service-tenant') in
DEFAULT_DOMAIN to support services still configured with v2.0
authentication / authorization.
This will allow us to transition from v2.0 based authentication /
authorization and existing services and charms will continue to
operate as before. This will also allow the end-user to roll their
deployment up to api_version 3 and back to api_version 2 as needed.
Services and charms that has made the transition to fully use the
v3 API for authentication and authorization will gain full access to
domains and projects across the deployment. The first charm to make
use of this is charm-ceilometer.
Closes-Bug: 1636098
Change-Id: If1518029c43476a5e14bf94596197eabe663499c |
|
2023-07-05 19:34:43 |
Corey Bryant |
description |
While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section:
openstack user show --domain service_domain -f value -c id nova
The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
What we have now:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = default
user_domain_id = default
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
What we should have:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = <uuid of service_domain>
user_domain_id = <uuid of service_domain>
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
[1] charm-keystone creates two services projects, one for the service_domain, and the other for the Default domain
root@f1:~# openstack user list --domain service_domain
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| b14d94f1594743198d1c7c3be722a1c4 | nova |
| 5ce32364e6a043ad9642f747a2e380de | glance |
| 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 |
| ed3ba0b081e641d0906d517ca99c37ff | placement |
| ad43075877b0422999f7971f2ca772b1 | neutron |
+----------------------------------+-----------+
root@f1:~# openstack user list --domain Default
+----------------------------------+-----------------------+
| ID | Name |
+----------------------------------+-----------------------+
| 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin |
| 1eabe59fe8f54e24a503213de7c06ec2 | nova |
| 6fd21eba472b4451a261625aefd79cbc | glance |
| b72ef27dd14d409ba8341b565ea718fb | cinderv3 |
| 9298849a6c694e079111a3ccab8e9c25 | placement |
| 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron |
+----------------------------------+-----------------------+
root@f1:~# openstack project list
+----------------------------------+--------------------------------------------------+
| ID | Name |
+----------------------------------+--------------------------------------------------+
| 2e2dfd384b3c475db46829300cbbbf96 | admin |
| 605138c74dca4d56a6dec2c6d897b5aa | services |
| 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 |
| b51818605b4d4ef78f44f53c43830e0c | services |
| c8126e3e9461487abe790371304d304b | demoProject |
| fdb19396eb664734bb2804f2d4df12ed | admin |
+----------------------------------+--------------------------------------------------+
root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | 5729b883ec844bc78c7c050fd4e0826e |
| enabled | True |
| id | 605138c74dca4d56a6dec2c6d897b5aa |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | 5729b883ec844bc78c7c050fd4e0826e |
| tags | [] |
+-------------+----------------------------------+
root@f1:~# openstack domain list
+----------------------------------+----------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+--------------------+
| 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju |
| 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju |
| 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain |
| default | Default | True | The default domain |
+----------------------------------+----------------+---------+--------------------+
root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | default |
| enabled | True |
| id | b51818605b4d4ef78f44f53c43830e0c |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
These are created in charm-keystone/hooks/keystone_utils.py at:
1641 def _ensure_initial_admin(config):
1642 ...
1653 if get_api_version() > 2:
1654 ...
1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN)
1662 ...
1666 ...
1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN)
[2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
commit 5de1770931e886732870da1909f08279a0b804b4
Author: Frode Nordahl <frode.nordahl@canonical.com>
Date: Wed Nov 2 13:21:07 2016 +0100
Create service credentials in SERVICE_DOMAIN
Cleanup code that references users, projects or domains without
necessary scoping or filtering throughout the charm. Add logging
of domain name in contexts where this is relevant.
Tighten rule:service_role to require role:service and token scoped
to project config('service-tenant') created in SERVICE_DOMAIN. This
ensures that if you have a deployment with end-user access to assign
roles within their own domains they will not gain privileged access
simply by assigning the service role to one of their own users.
Allow users authorized by rule:service_role to perform
identity:list_projects. This is required to allow Ceilometer
to operate without Admin privileges.
Services are given a user in project config('service-tenant') in
SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka
Keystone v3 policy the 'service' role is sufficient for services to
validate tokens.
Services are also given a user in project config('service-tenant') in
DEFAULT_DOMAIN to support services still configured with v2.0
authentication / authorization.
This will allow us to transition from v2.0 based authentication /
authorization and existing services and charms will continue to
operate as before. This will also allow the end-user to roll their
deployment up to api_version 3 and back to api_version 2 as needed.
Services and charms that has made the transition to fully use the
v3 API for authentication and authorization will gain full access to
domains and projects across the deployment. The first charm to make
use of this is charm-ceilometer.
Closes-Bug: 1636098
Change-Id: If1518029c43476a5e14bf94596197eabe663499c |
While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section:
openstack user show --domain service_domain -f value -c id nova
The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
What we have now:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = default
user_domain_id = default
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
What we should have:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = <uuid of service_domain>
user_domain_id = <uuid of service_domain>
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
[1] charm-keystone creates two services users/projects, one for the service_domain, and the other for the Default domain
root@f1:~# openstack user list --domain service_domain
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| b14d94f1594743198d1c7c3be722a1c4 | nova |
| 5ce32364e6a043ad9642f747a2e380de | glance |
| 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 |
| ed3ba0b081e641d0906d517ca99c37ff | placement |
| ad43075877b0422999f7971f2ca772b1 | neutron |
+----------------------------------+-----------+
root@f1:~# openstack user list --domain Default
+----------------------------------+-----------------------+
| ID | Name |
+----------------------------------+-----------------------+
| 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin |
| 1eabe59fe8f54e24a503213de7c06ec2 | nova |
| 6fd21eba472b4451a261625aefd79cbc | glance |
| b72ef27dd14d409ba8341b565ea718fb | cinderv3 |
| 9298849a6c694e079111a3ccab8e9c25 | placement |
| 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron |
+----------------------------------+-----------------------+
root@f1:~# openstack project list
+----------------------------------+--------------------------------------------------+
| ID | Name |
+----------------------------------+--------------------------------------------------+
| 2e2dfd384b3c475db46829300cbbbf96 | admin |
| 605138c74dca4d56a6dec2c6d897b5aa | services |
| 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 |
| b51818605b4d4ef78f44f53c43830e0c | services |
| c8126e3e9461487abe790371304d304b | demoProject |
| fdb19396eb664734bb2804f2d4df12ed | admin |
+----------------------------------+--------------------------------------------------+
root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | 5729b883ec844bc78c7c050fd4e0826e |
| enabled | True |
| id | 605138c74dca4d56a6dec2c6d897b5aa |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | 5729b883ec844bc78c7c050fd4e0826e |
| tags | [] |
+-------------+----------------------------------+
root@f1:~# openstack domain list
+----------------------------------+----------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+--------------------+
| 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju |
| 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju |
| 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain |
| default | Default | True | The default domain |
+----------------------------------+----------------+---------+--------------------+
root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | default |
| enabled | True |
| id | b51818605b4d4ef78f44f53c43830e0c |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
These are created in charm-keystone/hooks/keystone_utils.py at:
1641 def _ensure_initial_admin(config):
1642 ...
1653 if get_api_version() > 2:
1654 ...
1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN)
1662 ...
1666 ...
1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN)
[2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
commit 5de1770931e886732870da1909f08279a0b804b4
Author: Frode Nordahl <frode.nordahl@canonical.com>
Date: Wed Nov 2 13:21:07 2016 +0100
Create service credentials in SERVICE_DOMAIN
Cleanup code that references users, projects or domains without
necessary scoping or filtering throughout the charm. Add logging
of domain name in contexts where this is relevant.
Tighten rule:service_role to require role:service and token scoped
to project config('service-tenant') created in SERVICE_DOMAIN. This
ensures that if you have a deployment with end-user access to assign
roles within their own domains they will not gain privileged access
simply by assigning the service role to one of their own users.
Allow users authorized by rule:service_role to perform
identity:list_projects. This is required to allow Ceilometer
to operate without Admin privileges.
Services are given a user in project config('service-tenant') in
SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka
Keystone v3 policy the 'service' role is sufficient for services to
validate tokens.
Services are also given a user in project config('service-tenant') in
DEFAULT_DOMAIN to support services still configured with v2.0
authentication / authorization.
This will allow us to transition from v2.0 based authentication /
authorization and existing services and charms will continue to
operate as before. This will also allow the end-user to roll their
deployment up to api_version 3 and back to api_version 2 as needed.
Services and charms that has made the transition to fully use the
v3 API for authentication and authorization will gain full access to
domains and projects across the deployment. The first charm to make
use of this is charm-ceilometer.
Closes-Bug: 1636098
Change-Id: If1518029c43476a5e14bf94596197eabe663499c |
|
2023-07-05 19:45:56 |
Corey Bryant |
description |
While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section:
openstack user show --domain service_domain -f value -c id nova
The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
What we have now:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = default
user_domain_id = default
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
What we should have:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = <uuid of service_domain>
user_domain_id = <uuid of service_domain>
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
[1] charm-keystone creates two services users/projects, one for the service_domain, and the other for the Default domain
root@f1:~# openstack user list --domain service_domain
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| b14d94f1594743198d1c7c3be722a1c4 | nova |
| 5ce32364e6a043ad9642f747a2e380de | glance |
| 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 |
| ed3ba0b081e641d0906d517ca99c37ff | placement |
| ad43075877b0422999f7971f2ca772b1 | neutron |
+----------------------------------+-----------+
root@f1:~# openstack user list --domain Default
+----------------------------------+-----------------------+
| ID | Name |
+----------------------------------+-----------------------+
| 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin |
| 1eabe59fe8f54e24a503213de7c06ec2 | nova |
| 6fd21eba472b4451a261625aefd79cbc | glance |
| b72ef27dd14d409ba8341b565ea718fb | cinderv3 |
| 9298849a6c694e079111a3ccab8e9c25 | placement |
| 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron |
+----------------------------------+-----------------------+
root@f1:~# openstack project list
+----------------------------------+--------------------------------------------------+
| ID | Name |
+----------------------------------+--------------------------------------------------+
| 2e2dfd384b3c475db46829300cbbbf96 | admin |
| 605138c74dca4d56a6dec2c6d897b5aa | services |
| 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 |
| b51818605b4d4ef78f44f53c43830e0c | services |
| c8126e3e9461487abe790371304d304b | demoProject |
| fdb19396eb664734bb2804f2d4df12ed | admin |
+----------------------------------+--------------------------------------------------+
root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | 5729b883ec844bc78c7c050fd4e0826e |
| enabled | True |
| id | 605138c74dca4d56a6dec2c6d897b5aa |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | 5729b883ec844bc78c7c050fd4e0826e |
| tags | [] |
+-------------+----------------------------------+
root@f1:~# openstack domain list
+----------------------------------+----------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+--------------------+
| 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju |
| 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju |
| 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain |
| default | Default | True | The default domain |
+----------------------------------+----------------+---------+--------------------+
root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | default |
| enabled | True |
| id | b51818605b4d4ef78f44f53c43830e0c |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
These are created in charm-keystone/hooks/keystone_utils.py at:
1641 def _ensure_initial_admin(config):
1642 ...
1653 if get_api_version() > 2:
1654 ...
1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN)
1662 ...
1666 ...
1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN)
[2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
commit 5de1770931e886732870da1909f08279a0b804b4
Author: Frode Nordahl <frode.nordahl@canonical.com>
Date: Wed Nov 2 13:21:07 2016 +0100
Create service credentials in SERVICE_DOMAIN
Cleanup code that references users, projects or domains without
necessary scoping or filtering throughout the charm. Add logging
of domain name in contexts where this is relevant.
Tighten rule:service_role to require role:service and token scoped
to project config('service-tenant') created in SERVICE_DOMAIN. This
ensures that if you have a deployment with end-user access to assign
roles within their own domains they will not gain privileged access
simply by assigning the service role to one of their own users.
Allow users authorized by rule:service_role to perform
identity:list_projects. This is required to allow Ceilometer
to operate without Admin privileges.
Services are given a user in project config('service-tenant') in
SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka
Keystone v3 policy the 'service' role is sufficient for services to
validate tokens.
Services are also given a user in project config('service-tenant') in
DEFAULT_DOMAIN to support services still configured with v2.0
authentication / authorization.
This will allow us to transition from v2.0 based authentication /
authorization and existing services and charms will continue to
operate as before. This will also allow the end-user to roll their
deployment up to api_version 3 and back to api_version 2 as needed.
Services and charms that has made the transition to fully use the
v3 API for authentication and authorization will gain full access to
domains and projects across the deployment. The first charm to make
use of this is charm-ceilometer.
Closes-Bug: 1636098
Change-Id: If1518029c43476a5e14bf94596197eabe663499c |
While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section:
openstack user show --domain service_domain -f value -c id nova
The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
What we have now:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = default
user_domain_id = default
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
What we should have:
[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_name = service_domain
user_domain_name = service_domain
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT
[1] charm-keystone creates two services users/projects, one for the service_domain, and the other for the Default domain
root@f1:~# openstack user list --domain service_domain
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| b14d94f1594743198d1c7c3be722a1c4 | nova |
| 5ce32364e6a043ad9642f747a2e380de | glance |
| 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 |
| ed3ba0b081e641d0906d517ca99c37ff | placement |
| ad43075877b0422999f7971f2ca772b1 | neutron |
+----------------------------------+-----------+
root@f1:~# openstack user list --domain Default
+----------------------------------+-----------------------+
| ID | Name |
+----------------------------------+-----------------------+
| 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin |
| 1eabe59fe8f54e24a503213de7c06ec2 | nova |
| 6fd21eba472b4451a261625aefd79cbc | glance |
| b72ef27dd14d409ba8341b565ea718fb | cinderv3 |
| 9298849a6c694e079111a3ccab8e9c25 | placement |
| 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron |
+----------------------------------+-----------------------+
root@f1:~# openstack project list
+----------------------------------+--------------------------------------------------+
| ID | Name |
+----------------------------------+--------------------------------------------------+
| 2e2dfd384b3c475db46829300cbbbf96 | admin |
| 605138c74dca4d56a6dec2c6d897b5aa | services |
| 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 |
| b51818605b4d4ef78f44f53c43830e0c | services |
| c8126e3e9461487abe790371304d304b | demoProject |
| fdb19396eb664734bb2804f2d4df12ed | admin |
+----------------------------------+--------------------------------------------------+
root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | 5729b883ec844bc78c7c050fd4e0826e |
| enabled | True |
| id | 605138c74dca4d56a6dec2c6d897b5aa |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | 5729b883ec844bc78c7c050fd4e0826e |
| tags | [] |
+-------------+----------------------------------+
root@f1:~# openstack domain list
+----------------------------------+----------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+--------------------+
| 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju |
| 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju |
| 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain |
| default | Default | True | The default domain |
+----------------------------------+----------------+---------+--------------------+
root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | default |
| enabled | True |
| id | b51818605b4d4ef78f44f53c43830e0c |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
These are created in charm-keystone/hooks/keystone_utils.py at:
1641 def _ensure_initial_admin(config):
1642 ...
1653 if get_api_version() > 2:
1654 ...
1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN)
1662 ...
1666 ...
1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN)
[2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.
commit 5de1770931e886732870da1909f08279a0b804b4
Author: Frode Nordahl <frode.nordahl@canonical.com>
Date: Wed Nov 2 13:21:07 2016 +0100
Create service credentials in SERVICE_DOMAIN
Cleanup code that references users, projects or domains without
necessary scoping or filtering throughout the charm. Add logging
of domain name in contexts where this is relevant.
Tighten rule:service_role to require role:service and token scoped
to project config('service-tenant') created in SERVICE_DOMAIN. This
ensures that if you have a deployment with end-user access to assign
roles within their own domains they will not gain privileged access
simply by assigning the service role to one of their own users.
Allow users authorized by rule:service_role to perform
identity:list_projects. This is required to allow Ceilometer
to operate without Admin privileges.
Services are given a user in project config('service-tenant') in
SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka
Keystone v3 policy the 'service' role is sufficient for services to
validate tokens.
Services are also given a user in project config('service-tenant') in
DEFAULT_DOMAIN to support services still configured with v2.0
authentication / authorization.
This will allow us to transition from v2.0 based authentication /
authorization and existing services and charms will continue to
operate as before. This will also allow the end-user to roll their
deployment up to api_version 3 and back to api_version 2 as needed.
Services and charms that has made the transition to fully use the
v3 API for authentication and authorization will gain full access to
domains and projects across the deployment. The first charm to make
use of this is charm-ceilometer.
Closes-Bug: 1636098
Change-Id: If1518029c43476a5e14bf94596197eabe663499c |
|
2023-07-05 23:18:52 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |