RE: [EXTERNAL] Re: [kolla][keystone] Another keycloak issue
Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain: (openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test2 +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ (openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test3 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails: (openstack) [root@chrnc-area51-build-01 ~]# . ./test2-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1) (openstack) [root@chrnc-area51-build-01 ~]# . ./test3-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list (openstack) [root@chrnc-area51-build-01 ~]# The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users? RC files: (openstack) [root@chrnc-area51-build-01 ~]# cat test2-openrc.sh # Clear any old environment that may conflict. for key in $( set | awk '{FS="="} /^OS_/ {print $1}' ); do unset $key ; done export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=test2 export OS_TENANT_NAME=test2 export OS_USERNAME=test2 export OS_PASSWORD=<password> export OS_AUTH_URL=http://192.168.0.10:35357/v3 export OS_INTERFACE=internal export OS_ENDPOINT_TYPE=internalURL export OS_IDENTITY_API_VERSION=3 export OS_REGION_NAME=chrnc-area51-01 export OS_AUTH_PLUGIN=password export OS_CACERT=/etc/kolla/certificates/openstack.area51.dev.chtrse.com.pem (openstack) [root@chrnc-area51-build-01 ~]# cat test3-openrc.sh # Clear any old environment that may conflict. for key in $( set | awk '{FS="="} /^OS_/ {print $1}' ); do unset $key ; done export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=test export OS_TENANT_NAME=test export OS_USERNAME=test3 export OS_PASSWORD=<password> export OS_AUTH_URL=http://192.168.0.10:35357/v3 export OS_INTERFACE=internal export OS_ENDPOINT_TYPE=internalURL export OS_IDENTITY_API_VERSION=3 export OS_REGION_NAME=chrnc-area51-01 export OS_AUTH_PLUGIN=password export OS_CACERT=/etc/kolla/certificates/openstack.area51.dev.chtrse.com.pem E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
On Tue, 26 Jan 2021 at 17:02, Braden, Albert <C-Albert.Braden@charter.com> wrote:
Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain:
(openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test2 +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ (openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test3 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails:
(openstack) [root@chrnc-area51-build-01 ~]# . ./test2-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1) (openstack) [root@chrnc-area51-build-01 ~]# . ./test3-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list
(openstack) [root@chrnc-area51-build-01 ~]#
The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users?
I'm no expert on federation, but I understand that you need to use a slightly different method with the CLI. This page has some info: https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.h...
hello, Maybe the user password is not mapped to keystone, so when you create a new user via keycloak you need to set password manually (openstack user set test2 --password-prompt) and then use the CLI ? On 27/01/2021 10:09, Mark Goddard wrote:
On Tue, 26 Jan 2021 at 17:02, Braden, Albert <C-Albert.Braden@charter.com> wrote:
Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain:
(openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test2 +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ (openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test3 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails:
(openstack) [root@chrnc-area51-build-01 ~]# . ./test2-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1) (openstack) [root@chrnc-area51-build-01 ~]# . ./test3-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list
(openstack) [root@chrnc-area51-build-01 ~]#
The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users?
I'm no expert on federation, but I understand that you need to use a slightly different method with the CLI. This page has some info: https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.h...
-- Very truly yours, أطيب التمنيات Mohamed Emine IBRAHIM محمد أمين إبراهيم
Hi, With SSO enabled you are no longer authenticating against keystone directly, and so your openrc.sh must be crafted to take that into account. For example, this is snippet from my clouds.yaml for deployment that is federated with keycloak via oidc: ----8<----8<---- cloud_oidc: auth_type: v3oidcpassword auth: auth_url: https://[redacted]:5000/v3 discovery_endpoint: https://[redacted]/.well-known/openid-configuration identity_provider: oidc protocol: openid client_id: [redacted] client_secret: [redacted] project_name: test-project project_domain_name: default username: [redacted] password: [redacted] ----8<----8<---- This can be translated into openrc.sh script that sets up proper variables (although I have no example of that on hand). Similar configuration can be done for SAML2-based integration. Additionally, not all third-party tools will work with such authentication, and for them you'll probably have to issue token and use it instead. Setting password for user in keystone goes against the idea of SSO and introduces an issue of how to reset keystone password when one in keycloak is changed (and vice versa). Also I'm not even sure if it's possible for default federated users (as opposed to "local" federated users which work a little bit differently). -- Krzysztof Klimonda kklimonda@syntaxhighlighted.com On Wed, Jan 27, 2021, at 12:43, Mohamed Emine IBRAHIM wrote:
hello,
Maybe the user password is not mapped to keystone, so when you create a new user via keycloak you need to set password manually (openstack user set test2 --password-prompt) and then use the CLI ?
On 27/01/2021 10:09, Mark Goddard wrote:
On Tue, 26 Jan 2021 at 17:02, Braden, Albert <C-Albert.Braden@charter.com> wrote:
Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain:
(openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test2 +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+ (openstack) [root@chrnc-area51-build-01 ~]# os role assignment list --user test3 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd | | 15c32af517334e28a9427809a9fc4805 | | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails:
(openstack) [root@chrnc-area51-build-01 ~]# . ./test2-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1) (openstack) [root@chrnc-area51-build-01 ~]# . ./test3-openrc.sh (openstack) [root@chrnc-area51-build-01 ~]# openstack server list
(openstack) [root@chrnc-area51-build-01 ~]#
The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users?
I'm no expert on federation, but I understand that you need to use a slightly different method with the CLI. This page has some info: https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.h...
-- Very truly yours, أطيب التمنيات Mohamed Emine IBRAHIM محمد أمين إبراهيم
Attachments: * signature.asc
participants (4)
-
Braden, Albert
-
Krzysztof Klimonda
-
Mark Goddard
-
Mohamed Emine IBRAHIM