[EXTERNAL] Re: [kolla][keystone] Another keycloak issue

Krzysztof Klimonda kklimonda at syntaxhighlighted.com
Wed Jan 27 13:27:54 UTC 2021 

Hi,

With SSO enabled you are no longer authenticating against keystone directly, and so your openrc.sh must be crafted to take that into account. For example, this is snippet from my clouds.yaml for deployment that is federated with keycloak via oidc:

----8<----8<----
  cloud_oidc:
    auth_type: v3oidcpassword
    auth:
      auth_url: https://[redacted]:5000/v3
      discovery_endpoint: https://[redacted]/.well-known/openid-configuration
      identity_provider: oidc
      protocol: openid
      client_id: [redacted]
      client_secret: [redacted]
      project_name: test-project
      project_domain_name: default
      username: [redacted]
      password: [redacted]
----8<----8<----

This can be translated into openrc.sh script that sets up proper variables (although I have no example of that on hand). Similar configuration can be done for SAML2-based integration. Additionally, not all third-party tools will work with such authentication, and for them you'll probably have to issue token and use it instead.

Setting password for user in keystone goes against the idea of SSO and introduces an issue of how to reset keystone password when one in keycloak is changed (and vice versa). Also I'm not even sure if it's possible for default federated users (as opposed to "local" federated users which work a little bit differently). 

-- 
  Krzysztof Klimonda
  kklimonda at syntaxhighlighted.com

On Wed, Jan 27, 2021, at 12:43, Mohamed Emine IBRAHIM wrote:
> hello,
> 
> Maybe the user password is not mapped to keystone, so when you create a
> new user via keycloak you need to set password manually (openstack user
> set test2 --password-prompt) and then use the CLI ?
> 
> On 27/01/2021 10:09, Mark Goddard wrote:
> > On Tue, 26 Jan 2021 at 17:02, Braden, Albert
> > <C-Albert.Braden at charter.com> wrote:
> >>
> >> Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain:
> >>
> >> (openstack) [root at chrnc-area51-build-01 ~]# os role assignment list --user test2
> >> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
> >> | Role                             | User                                                             | Group | Project                          | Domain | System | Inherited |
> >> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
> >> | 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 |       | 15c32af517334e28a9427809a9fc4805 |        |        | False     |
> >> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
> >> (openstack) [root at chrnc-area51-build-01 ~]# os role assignment list --user test3
> >> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
> >> | Role                             | User                             | Group | Project                          | Domain | System | Inherited |
> >> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
> >> | 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd |       | 15c32af517334e28a9427809a9fc4805 |        |        | False     |
> >> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
> >>
> >> I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails:
> >>
> >> (openstack) [root at chrnc-area51-build-01 ~]# . ./test2-openrc.sh
> >> (openstack) [root at chrnc-area51-build-01 ~]# openstack server list
> >> The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1)
> >> (openstack) [root at chrnc-area51-build-01 ~]# . ./test3-openrc.sh
> >> (openstack) [root at chrnc-area51-build-01 ~]# openstack server list
> >>
> >> (openstack) [root at chrnc-area51-build-01 ~]#
> >>
> >> The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users?
> >>
> > I'm no expert on federation, but I understand that you need to use a
> > slightly different method with the CLI. This page has some info:
> > https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html
> > 
> 
> -- 
> Very truly yours, أطيب التمنيات
> Mohamed Emine IBRAHIM
> محمد أمين إبراهيم
> 
> 
> Attachments:
> * signature.asc

More information about the openstack-discuss mailing list