Wikimedia Cloud Services team/EnhancementProposals/Neutron SDN/ldap

From Wikitech

Open Questions

  -  "service_role": "role:service", exists in /etc/keystone/policy.json but we don't define a service role?

---

Do we use keystone groups for anything?

Glance admin role?

General service user roles and assignments?

What's our domain? multiple domains?

What roles do we have and where are they assigned?

  • The possibility of having multiple domains came with version 3 of the Keystone API.

What version of keystone api? (v2 or v3)

  • keystone has the concept of groups?

"Keystone added a new abstraction, called a Domain, that could provide the ability to isolate the visibility of a set of Projects and Users (and User Groups) to a specific organization."

As of the Juno release, Keystone supports multiple Identity backends for the V3 Identity API.

As of Liberty, roles are not domain scoped, but this could change in the future.

  • getting keystone cli util to work
    • Authorization Failed: The resource could not be found. (HTTP 404) (Request-ID: req-a170d956-c868-48e0-98da-26d368b03798)

Keystone

https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html

LDAP Groups

http://www.thegeekstuff.com/2015/02/openldap-add-users-groups

http://www.lichteblau.com/ldapvi/

http://www.lichteblau.com/ldapvi/manual/

https://www.chriscantwell.co.uk/2009/11/using-ldapvi-to-quickly-modify-ldap-directories/

root@labtestcontrol2001:~# openstack role list

+----------------------------------+--------------+
| ID                               | Name         |
+----------------------------------+--------------+
| 7db0d1d2a27f4e7f8afc45bdf19aaf59 | observer     |
| 8284c7e1155a464c818cf1eacf008c23 | user         |
| 8e86568d85984eda8ff44532f99e9304 | admin        |
| cb17fb40e2ef4cdd99956cd771b1799a | projectadmin |
| eb3fb807ab684f3d9fa77eed65bc0817 | glanceadmin  |
+----------------------------------+--------------+

LDAP vs Keystone: identify and assignemnt

https://docs.openstack.org/developer/keystone/configuration.html#read-only-ldap

https://www.mattfischer.com/blog/?p=545

openstack role assignment list -- bastion vs non?

https://adam.younglogic.com/2013/10/read-only-ldap-in-keystone/

ldap assignment (we don't use this)

http://sergslipushenko.github.io/html_doc/keystone_integrate_assignment_backend_ldap.html

LDAP OU

1 ou=people,dc=wikimedia,dc=org

2 ou=netgroup,dc=wikimedia,dc=org

3 ou=sudoers,dc=wikimedia,dc=org

4 ou=hosts,dc=wikimedia,dc=org

5 ou=profile,dc=wikimedia,dc=org

9 ou=groups,dc=wikimedia,dc=org

43 ou=projects,dc=wikimedia,dc=org

172 ou=roles,dc=wikimedia,dc=org

496 ou=servicegroups,dc=wikimedia,dc=org

497 ou=people,ou=servicegroups,dc=wikimedia,dc=org

LDAP (via wikitech) Creation

neutronone

+8391 uid=neutronone,ou=people,dc=wikimedia,dc=org

+uid: neutronone

+sn: Neutronone

+cn: Neutronone

+userPassword: {SHA}xT+zGZAmaKGFkoAWtJLlcA8dnYA=

+objectClass: inetOrgPerson

+objectClass: person

+objectClass: ldapPublicKey

+objectClass: posixAccount

+objectClass: shadowAccount

+uidNumber: 14005

+gidNumber: 500

+homeDirectory: /home/neutronone

+loginShell: /bin/bash

+mail: cpettet+neutronone@wikimedia.org

-------

root@labtestcontrol2001:~# openstack user create --domain default --password-prompt neutronone

User Password:

Repeat User Password:

Conflict occurred attempting to store user - Duplicate name, neutronone. (HTTP 409) (Request-ID: req-c9d0fca0-07ca-4057-9e9d-043a721b6d44)

root@labtestcontrol2001:~#  openstack role add --project service --user neutronone admin

No project with a name or ID of 'service' exists.

root@labtestcontrol2001:~# openstack role add --project admin --user neutronone admin

root@labtestcontrol2001:~#

root@labtestcontrol2001:~# openstack service create --name neutron \

>   --description "OpenStack Networking" network

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Networking             |
| enabled     | True                             |
| id          | 21777ec0152245919cea3bfd17781d98 |
| name        | neutron                          |
| type        | network                          |
+-------------+----------------------------------+

openstack endpoint create --region codfw \

  network public <nowiki>http://labtestnet2001.codfw.wmnet:9696</nowiki>

openstack endpoint create --region codfw \

  network internal <nowiki>http://labtestnet2001.codfw.wmnet:9696</nowiki>

openstack endpoint create --region codfw \

  network admin <nowiki>http://labtestnet2001.codfw.wmnet:9696</nowiki>

openstack endpoint list | grep network

Reference

http://heig-cloud.github.io/article/2015-12-17%20ldap/