Hi, With SSO enabled you are no longer authenticating against keystone directly, and so your openrc.sh must be crafted to take that into account. For example, this is snippet from my clouds.yaml for deployment that is federated with keycloak via oidc: ----8<----8<---- cloud_oidc: auth_type: v3oidcpassword auth: auth_url: https://[redacted]:5000/v3 discovery_endpoint: https://[redacted]/.well-known/openid-configuration identity_provider: oidc protocol: openid client_id: [redacted] client_secret: [redacted] project_name: test-project project_domain_name: default username: [redacted] password: [redacted] ----8<----8<---- This can be translated into openrc.sh script that sets up proper variables (although I have no example of that on hand). Similar configuration can be done for SAML2-based integration. Additionally, not all third-party tools will work with such authentication, and for them you'll probably have to issue token and use it instead. Setting password for user in keystone goes against the idea of SSO and introduces an issue of how to reset keystone password when one in keycloak is changed (and vice versa). Also I'm not even sure if it's possible for default federated users (as opposed to "local" federated users which work a little bit differently). -- Krzysztof Klimonda kklimonda@syntaxhighlighted.com On Wed, Jan 27, 2021, at 12:43, Mohamed Emine IBRAHIM wrote:
hello,
Maybe the user password is not mapped to keystone, so when you create a new user via keycloak you need to set password manually (openstack user set test2 --password-prompt) and then use the CLI ?
On 27/01/2021 10:09, Mark Goddard wrote:
On Tue, 26 Jan 2021 at 17:02, Braden, Albert <C-Albert.Braden@charter.com> wrote:
Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain:
(openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test2 +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ (openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test3 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails:
(openstack) [root@chrnc-area51-build-01 ~]# . ./test2-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1) (openstack) [root@chrnc-area51-build-01 ~]# . ./test3-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list
(openstack) [root@chrnc-area51-build-01 ~]#
The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users?
I'm no expert on federation, but I understand that you need to use a slightly different method with the CLI. This page has some info: https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.h...
-- Very truly yours, أطيب التمنيات Mohamed Emine IBRAHIM محمد أمين إبراهيم
Attachments: * signature.asc