Keystone authenticator?

[attardi]

Would I be possible to add OpenStack Keystone as authenticator, using Application Credentials (https://docs.openstack.org/keystone/queens/user/application_credentials.html) as tokens?

[tamalsaha]

We could. There is an unmaintained one https://github.com/dims/k8s-keystone-auth . If you are interested in contributing, you are most welcome.

[tamalsaha]

@attardi , check out https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-client-keystone-auth.md . This seems to be the official answer. Let me know if this works or not.

[zioproto]

@tamalsaha that code is not unmaintained, it was migrated in the cloud-provider-openstack https://github.com/kubernetes/cloud-provider-openstack/tree/master/pkg/identity/keystone

I guess you can easily include that code to Guard.

At the moment I know for sure that k8s-keystone-auth works using keystone username and password but the support for keystone Application Credentials is untested.

[attardi]

I tested it, but unfortunately it only works with password/domain authentication, which is not what we need, since we don't use password authentication on our deployment of OpenStack.
We use federated authentication, which delegates authentication to external IdP providers. Hence Keystone has no way to authenticate our users.
The only possible solution, I think, its to use Keystone Application Credentials. Users can obtain those credentials from Keystone or even from the OpenStack dashboard. Than he can configure his .kube/config with the given token and then he can access Kubernetes, similar to what you do with GitHub.

[tamalsaha]

Thanks. We can add support for this. The main issue is how do I get a openstack setup to test this during development? We usually test against OVH for openstack api. But it is not clear to me if they support application credential. https://docs.ovh.com/gb/en/storage/pca/dev/#authentication

To support this, we need to implement one method https://github.com/appscode/guard/blob/master/auth/types.go#L47 . We also add e2e tests to test the implementation.

[attardi]

Take a look at the setion on Authentication in our architecture document.

Application Credentials should be easy to obtain.
If you like, we can give you access to our OpenStack cloud platform: ask for an account at cloud.garr.it/forms/register/

We can give you access to our OpenStack deployment

[tamalsaha]

Thanks @attardi . I have submitted a request for account using my gmail account tamal AT appscode.com .

[RdL87]

Hi @tamalsaha, i've just accepted your request. If you need to use the OpenStack CLI just send an email to cloud-support AT garr.it

[tamalsaha]

Thank @RdL87 . I can access now :).

Next question is how do I create a application_credential from the UI?

[RdL87]

You're welcome @tamalsaha . You can't from the UI (https://docs.openstack.org/keystone/queens/user/application_credentials.html).
For this reason i suggested to ask for an OpenStack CLI. :)
Please send an email to cloud-support at garr.com in order to track your request in our ticketing system.

[tamalsaha]

@RdL87 , I am getting 404 from openstack application credential create xyz command. I sent you an email with the details.

[attardi]

Application credentials can be obtained using python-keystoneclient (version > 3.15, from https://github.com/openstack/python-keystoneclient.git):

from keystoneauth1.identity import v3
from keystoneauth1 import session
from keystoneclient.v3 import client
auth = v3.Password(auth_url=AUTH_URL,
username=USERNAME,
user_domain_name=USER_DOMAIN_NAME,
password=PASSWD,
project_name=PROJECT,
project_domain_name=PROJECT_DOMAIN_NAME)
sess = session.Session(auth=auth)
keystone = client.Client(session=sess)
app_cred = keystone.application_credentials.create(
name='kubernetes').to_dict()
from pprint import pprint
pprint(app_cred)
{u'description': None,
u'expires_at': None,
u'id': u'25ddda21938d4a34873fe93a8772430d',
u'links': {u'self': u'https://keystone-staging.cloud.garr.it:5000/v3/users/6472b10817ac41369993fa59709992a5/application_credentials/25ddda21938d4a34873fe93a8772430d'},
u'name': u'k8s',
u'project_id': u'ceb24e8ffaf14110a40956ef0028196b',
u'roles': [{u'domain_id': None,
u'id': u'f3e6d744b88e4b56a1c56bc15581f1c4',
u'name': u'Member'},
{u'domain_id': None,
u'id': u'ce72aae022d24301a38b0894584066e1',
u'name': u'Admin'}],
u'secret': u'0CRvHIRDhi-dJGfuGevaBsX9_s6i0BA2txIpmW3Ks0Avf9IuIAZQ9Ln9vbZPtUj7pEPZ0RCyvHrvjXMMMXjAww',
u'unrestricted': False}
token = app_cred['secret']

[tamalsaha]

@attardi , I tried with the account I have got from garr.it . You can see the code here: https://github.com/tamalsaha/keystone-demo/blob/master/appcred.py

But it stays stuck. So, not sure what's wrong. Does this script work for you?

[attardi]

Application Credentials can be obtained from the dashboard through this completed Blueprint, upcoming in Rocky,

https://blueprints.launchpad.net/horizon/+spec/application-credentials

[tamalsaha]

@RdL87, did you find anything?

[RdL87]

Hi @tamalsaha , sorry i was sure you was included in a thread on our ticketing system. I will report here some msg sent from @attardi related to this topic.

I omitted some id replacing those with ******************************

---

I figured out how to create applicatins credentials.

**

You nede to use python-keystoneclient(version > 3.15, from
https://github.com/openstack/python-keystoneclient.git):

from keystoneauth1.identity import v3

from keystoneauth1 import session

from keystoneclient.v3 import client

auth = v3.Password(auth_url=AUTH_URL,

              username=USERNAME,

              user_domain_name=USER_DOMAIN_NAME,

              password=PASSWD,

              project_name=PROJECT,

              project_domain_name=PROJECT_DOMAIN_NAME)

sess = session.Session(auth=auth)

keystone = client.Client(session=sess)>>> app_cred = keystone.application_credentials.create(

name='kubernetes').to_dict()

from pprint import pprint

pprint(app_cred)

{u'description': None,

u'expires_at': None,

u'id': u'******************************',

u'links': {u'self':
u'https://keystone-staging.cloud.garr.it:5000/v3/users/6472b10817ac41369993fa59709992a5/application_credentials/25ddda21938d4a34873fe93a8772430d'},

u'name': u'k8s',

u'project_id': u'******************************',

u'roles': [{u'domain_id': None,

        u'id': u'******************************',

        u'name': u'Member'},

       {u'domain_id': None,

        u'id': u'******************************',

        u'name': u'Admin'}],

u'secret':
u'******************************',

u'unrestricted': False}

token = app_cred['secret']

---

Also I'm going to forward to you a msg containing details for your account on our staging clutser that you can use for testing purpose. I will send it by email since it contains credentials.

[tamalsaha]

Thanks. I tried using this sample python code. I was still getting 404 . https://github.com/tamalsaha/keystone-demo/blob/master/appcred.py

[RdL87]

Did you use the account on our staging cluster? (the one i sent to you by email)

[tamalsaha]

@RdL87 , I was able to get it to work using the test credential you emailed.

[attardi]

The openstack command:

openstack application credential create

also works, as long as your openstack client version is > 3.15 and OpenStack Keystone is at version Queens.

[attardi]

Application credentials can be used by selecting the v3applicationcredential auth_type and providing the following parameters:

auth_url = https://keystone.server/identity/v3
auth_type = v3applicationcredential
application_credential_id = app_id
application_credential_secret = secret

[attardi]

Any progress on this?

[zioproto]

@tamalsaha I am looking into this. At the moment kubernetes users are not able to use application credentials to authenticate because the client misses the functionality, and also the go library the client is based on misses this functionality. However you can implement the backend part if it is python only. I will keep this issue updated with my latest findings. Thank you