Page MenuHomePhabricator
Create Task
Maniphest T115029

Move project membership/assignment from ldap to keystone mysql
Closed, ResolvedPublic
Actions

Description

The keystone folks have decided to deprecate project membership via ldap. This wasn't supposed to happen until M but in truth the v3 api is totally broken for this so we probably need to move sooner.

How, then, will pam/ssh determine project membership? I don't know.

the transition is described here:

https://openstack.nimeyo.com/29408/openstack-keystone-deprecation-assignment-project-assignment

And a tentative roadmap is here:

https://wikitech.wikimedia.org/wiki/Labs_keystone_roles#Steps

Details

SubjectRepoBranchLines +/-
Update admin_project_id in the keystone configoperations/puppetproduction+2 -2
Switch keystone to mysql assignment from ldap.operations/puppetproduction+12 -23
Added a v3 call to get projects for a given user.mediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+26 -11
Add a keystone v3 call to determine role membership.mediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+45 -14
Added migration tool to adopt keystone-based projects and role assignmentmediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+60 -0
Modify projects and roles using keystone callsmediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+247 -245
memberDNs should be based off the userid, not the username.mediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+2 -2
Update OpenStackNovaUser to use proper OpenStackNovaProject callsmediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+28 -62
Distinguish between project names and project IDsmediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+144 -86
Keep track of roleids as a separate thing from rolenamesmediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+31 -21
Get projects and membership via the keystone apimediawiki/extensions/OpenStackManagerwmf/1.27.0-wmf.13+292 -104
memberDNs should be based off the userid, not the username.mediawiki/extensions/OpenStackManagermaster+2 -2
Added a v3 call to get projects for a given user.mediawiki/extensions/OpenStackManagermaster+26 -11
Add a keystone v3 call to determine role membership.mediawiki/extensions/OpenStackManagermaster+45 -14
Added migration tool to adopt keystone-based projects and role assignmentmediawiki/extensions/OpenStackManagermaster+60 -0
Modify projects and roles using keystone callsmediawiki/extensions/OpenStackManagermaster+247 -245
Update OpenStackNovaUser to use proper OpenStackNovaProject callsmediawiki/extensions/OpenStackManagermaster+28 -62
Distinguish between project names and project IDsmediawiki/extensions/OpenStackManagermaster+144 -86
Keep track of roleids as a separate thing from rolenamesmediawiki/extensions/OpenStackManagermaster+31 -21
Get projects and membership via the keystone apimediawiki/extensions/OpenStackManagermaster+292 -104
Specify wgOpenStackManagerProjectId in WikitechPrivateSettings.phpoperations/puppetproduction+11 -2
Define wgOpenStackManagerProjectoperations/puppetproduction+2 -0
Add legacy ldap-based files for handline project information.mediawiki/extensions/OpenStackManagermaster+1 K -0
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Oct 8 2015, 4:55 PM
Andrew claimed this task.
Andrew raised the priority of this task from to Medium.
Andrew updated the task description. (Show Details)
Andrew added projects: Patch-For-Review, labs-sprint-117, Cloud-Services, Cloud-VPS.
Andrew added subscribers: gerritbot, Andrew, Aklapper and 2 others.
Krenair removed a project: Patch-For-Review.Oct 8 2015, 4:59 PM
Krenair set Security to None.

How, then, will pam/ssh determine project membership? I don't know.

Nova API?

revi edited subscribers, added: revi; removed: gerritbot.Oct 9 2015, 11:49 AM
Andrew added a project: labs-sprint-118.Oct 26 2015, 3:27 PM
Andrew added a comment.Nov 2 2015, 5:51 PM

https://wikitech.wikimedia.org/wiki/Labs_keystone_roles#Steps

Andrew closed subtask T117610: Make designate able to pull the project name from a project ID as Resolved.Nov 6 2015, 10:21 PM
Andrew added a project: labs-sprint-119.Nov 9 2015, 6:05 PM
Andrew removed Andrew as the assignee of this task.Nov 16 2015, 5:50 PM
Andrew merged a task: T124186: Switch from ldap project assignment to keystone/mysql project assignment.Jan 26 2016, 11:37 PM
Andrew added a subscriber: StudiesWorld.
Andrew claimed this task.Jan 27 2016, 12:12 AM
Andrew updated the task description. (Show Details)Jan 27 2016, 12:15 AM
gerritbot added a comment.Jan 29 2016, 12:03 AM

Change 267192 had a related patch set uploaded (by Andrew Bogott):
Define wgOpenStackManagerProject

https://gerrit.wikimedia.org/r/267192

gerritbot added a project: Patch-For-Review.Jan 29 2016, 12:03 AM
gerritbot added a comment.Jan 29 2016, 2:14 AM

Change 252615 had a related patch set uploaded (by Andrew Bogott):
WIP: get project and membership information via the keystone api

https://gerrit.wikimedia.org/r/252615

gerritbot added a comment.Jan 29 2016, 2:15 AM

Change 267192 merged by Andrew Bogott:
Define wgOpenStackManagerProject

https://gerrit.wikimedia.org/r/267192

gerritbot added a comment.Feb 1 2016, 10:22 PM

Change 267789 had a related patch set uploaded (by Andrew Bogott):
Add legacy ldap-based files for handline project information.

https://gerrit.wikimedia.org/r/267789

gerritbot added a comment.Feb 3 2016, 11:56 PM

Change 268325 had a related patch set uploaded (by Andrew Bogott):
Switch keystone to mysql assignment from ldap.

https://gerrit.wikimedia.org/r/268325

gerritbot added a comment.Feb 5 2016, 11:19 PM

Change 268832 had a related patch set uploaded (by Andrew Bogott):
Keep track of roleids as a separate thing from rolenames.

https://gerrit.wikimedia.org/r/268832

gerritbot added a comment.Feb 5 2016, 11:19 PM

Change 268833 had a related patch set uploaded (by Andrew Bogott):
Attempt to distinguish between project names and project IDs.

https://gerrit.wikimedia.org/r/268833

gerritbot added a comment.Feb 5 2016, 11:19 PM

Change 268834 had a related patch set uploaded (by Andrew Bogott):
Modify projects and roles using keystone calls.

https://gerrit.wikimedia.org/r/268834

gerritbot added a comment.Feb 5 2016, 11:19 PM

Change 268835 had a related patch set uploaded (by Andrew Bogott):
Update OpenStackNovaUser to use proper OpenStackNovaProject calls.

https://gerrit.wikimedia.org/r/268835

gerritbot added a comment.Feb 5 2016, 11:19 PM

Change 268836 had a related patch set uploaded (by Andrew Bogott):
Added migration tool to adopt keystone-based project assignment

https://gerrit.wikimedia.org/r/268836

gerritbot added a comment.Feb 6 2016, 8:10 PM

Change 267789 merged by jenkins-bot:
Add legacy ldap-based files for handline project information.

https://gerrit.wikimedia.org/r/267789

gerritbot added a comment.Feb 7 2016, 2:49 AM

Change 268927 had a related patch set uploaded (by Andrew Bogott):
Specify wgOpenStackManagerProjectId in WikitechPrivateSettings.php

https://gerrit.wikimedia.org/r/268927

gerritbot added a comment.Feb 7 2016, 4:31 AM

Change 268927 merged by Andrew Bogott:
Specify wgOpenStackManagerProjectId in WikitechPrivateSettings.php

https://gerrit.wikimedia.org/r/268927

Andrew added a comment.EditedFeb 8 2016, 7:19 PM
  • create roles on labcontrol1001 export OS_SERVICE_ENDPOINT="http://labcontrol1001.wikimedia.org:35357/v2.0" keystone --os-token <admin_token> role-create --name admin keystone --os-token <admin_token> role-create --name projectadmin keystone --os-token <admin_token> role-create --name user
  • add novaadmin to admin role on labcontrol1001 export OS_SERVICE_ENDPOINT="http://labcontrol1001.wikimedia.org:35357/v2.0" keystone --os-token <admin_token> user-role-add --user novaadmin --role admin --tenant admin keystone --os-token <admin_token> user-role-add --user novaadmin --role admin --tenant testlabs
  • run migration script on silver mwscript extensions/OpenStackManager/maintenance/migrateLdapAssignmentToKeystone.php --wiki=labswiki (about 20 minutes)
  • enable logins remove unset( $wgSpecialPages['UserLogin'] ); in wikitech.php
  • remove sitenotice
  • test:
    • check user and projectadmin lists
    • check user and projectadmin addition and removal, verify that rights are enforced properly by wikitech
    • verify that ldap groups are set properly and the ssh access still works when it should, and doesn't when it shouldn't
    • test new project creation and deletion, instance creation, access to new instance.
    • Bonus tests: check behavior of 'user' and 'projectadmin' role members on horizon. Both will surely be screwed up; if 'user' rights are too permissive, lock down horizon for now.
Andrew added a comment.Feb 8 2016, 7:26 PM

to revert, roll back all patches, reset all caches, and truncate keystone tables: assignment, project, role.

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-02-09_(1.27.0-wmf.13)).Feb 8 2016, 8:02 PM
Andrew added a comment.Feb 9 2016, 4:55 AM

labtestwikitech.wikimedia.org now reflects the end of the above process (plus one additional patch that can be merged at any time, https://gerrit.wikimedia.org/r/#/c/269363/

gerritbot added a comment.Feb 9 2016, 11:46 PM

Change 269564 had a related patch set uploaded (by Andrew Bogott):
Add a keystone v3 call to determine role membership.

https://gerrit.wikimedia.org/r/269564

gerritbot added a comment.Feb 9 2016, 11:46 PM

Change 269565 had a related patch set uploaded (by Andrew Bogott):
Added a v3 call to get projects for a given user.

https://gerrit.wikimedia.org/r/269565

Ricordisamoa subscribed.Feb 11 2016, 4:00 PM
scfc subscribed.Feb 11 2016, 7:51 PM
In T115029#1712921, @Krenair wrote:

How, then, will pam/ssh determine project membership? I don't know.

Nova API?

I'd like to be sure to have understood this: In the future, OpenStackManager will be a frontend for Keystone (which handles OpenStack users/projects). Keystone will sync changes to its data to the existing LDAP server. This LDAP server is queried (as before) by pam/ssh. Correct?

Andrew added a comment.Feb 11 2016, 10:58 PM

@scfc, that is almost correct. Certain ldap entries (the groups used by pam/ssh) will remain as before. Other ldap entries (those used only as the keystone backend, specifically roles and project membership) will no longer be updated, and will get pruned out eventually.

The complete story is here: https://wikitech.wikimedia.org/wiki/Labs_keystone_roles

gerritbot added a comment.Feb 11 2016, 11:01 PM

Change 252615 merged by jenkins-bot:
Get projects and membership via the keystone api

https://gerrit.wikimedia.org/r/252615

gerritbot added a comment.Feb 11 2016, 11:01 PM

Change 268832 merged by jenkins-bot:
Keep track of roleids as a separate thing from rolenames

https://gerrit.wikimedia.org/r/268832

gerritbot added a comment.Feb 11 2016, 11:02 PM

Change 268833 merged by jenkins-bot:
Distinguish between project names and project IDs

https://gerrit.wikimedia.org/r/268833

gerritbot added a comment.Feb 11 2016, 11:03 PM

Change 268835 merged by jenkins-bot:
Update OpenStackNovaUser to use proper OpenStackNovaProject calls

https://gerrit.wikimedia.org/r/268835

gerritbot added a comment.Feb 11 2016, 11:28 PM

Change 270136 had a related patch set uploaded (by Andrew Bogott):
memberDNs should be based off the userid, not the username.

https://gerrit.wikimedia.org/r/270136

gerritbot added a comment.Feb 12 2016, 1:24 AM

Change 268834 merged by jenkins-bot:
Modify projects and roles using keystone calls

https://gerrit.wikimedia.org/r/268834

gerritbot added a comment.Feb 12 2016, 1:24 AM

Change 268836 merged by jenkins-bot:
Added migration tool to adopt keystone-based projects and role assignment

https://gerrit.wikimedia.org/r/268836

gerritbot added a comment.Feb 12 2016, 1:24 AM

Change 269564 merged by jenkins-bot:
Add a keystone v3 call to determine role membership.

https://gerrit.wikimedia.org/r/269564

gerritbot added a comment.Feb 12 2016, 1:24 AM

Change 269565 merged by jenkins-bot:
Added a v3 call to get projects for a given user.

https://gerrit.wikimedia.org/r/269565

gerritbot added a comment.Feb 12 2016, 1:24 AM

Change 270136 merged by jenkins-bot:
memberDNs should be based off the userid, not the username.

https://gerrit.wikimedia.org/r/270136

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270157 had a related patch set uploaded (by Andrew Bogott):
Get projects and membership via the keystone api

https://gerrit.wikimedia.org/r/270157

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270158 had a related patch set uploaded (by Andrew Bogott):
Keep track of roleids as a separate thing from rolenames

https://gerrit.wikimedia.org/r/270158

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270159 had a related patch set uploaded (by Andrew Bogott):
Distinguish between project names and project IDs

https://gerrit.wikimedia.org/r/270159

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270160 had a related patch set uploaded (by Andrew Bogott):
Update OpenStackNovaUser to use proper OpenStackNovaProject calls

https://gerrit.wikimedia.org/r/270160

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270161 had a related patch set uploaded (by Andrew Bogott):
memberDNs should be based off the userid, not the username.

https://gerrit.wikimedia.org/r/270161

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270162 had a related patch set uploaded (by Andrew Bogott):
Modify projects and roles using keystone calls

https://gerrit.wikimedia.org/r/270162

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270163 had a related patch set uploaded (by Andrew Bogott):
Added migration tool to adopt keystone-based projects and role assignment

https://gerrit.wikimedia.org/r/270163

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270164 had a related patch set uploaded (by Andrew Bogott):
Add a keystone v3 call to determine role membership.

https://gerrit.wikimedia.org/r/270164

gerritbot added a comment.Feb 12 2016, 2:42 AM

Change 270165 had a related patch set uploaded (by Andrew Bogott):
Added a v3 call to get projects for a given user.

https://gerrit.wikimedia.org/r/270165

gerritbot added a comment.Feb 12 2016, 3:01 AM

Change 270169 had a related patch set uploaded (by Andrew Bogott):
Update admin_project_id in the keystone config

https://gerrit.wikimedia.org/r/270169

gerritbot added a comment.Feb 12 2016, 3:55 PM

Change 270157 merged by jenkins-bot:
Get projects and membership via the keystone api

https://gerrit.wikimedia.org/r/270157

gerritbot added a comment.Feb 12 2016, 3:57 PM

Change 270158 merged by jenkins-bot:
Keep track of roleids as a separate thing from rolenames

https://gerrit.wikimedia.org/r/270158

gerritbot added a comment.Feb 12 2016, 3:57 PM

Change 270159 merged by jenkins-bot:
Distinguish between project names and project IDs

https://gerrit.wikimedia.org/r/270159

gerritbot added a comment.Feb 12 2016, 3:57 PM

Change 270160 merged by jenkins-bot:
Update OpenStackNovaUser to use proper OpenStackNovaProject calls

https://gerrit.wikimedia.org/r/270160

gerritbot added a comment.Feb 12 2016, 3:57 PM

Change 270161 merged by jenkins-bot:
memberDNs should be based off the userid, not the username.

https://gerrit.wikimedia.org/r/270161

gerritbot added a comment.Feb 12 2016, 3:58 PM

Change 270162 merged by jenkins-bot:
Modify projects and roles using keystone calls

https://gerrit.wikimedia.org/r/270162

gerritbot added a comment.Feb 12 2016, 3:58 PM

Change 270163 merged by jenkins-bot:
Added migration tool to adopt keystone-based projects and role assignment

https://gerrit.wikimedia.org/r/270163

gerritbot added a comment.Feb 12 2016, 3:58 PM

Change 270164 merged by jenkins-bot:
Add a keystone v3 call to determine role membership.

https://gerrit.wikimedia.org/r/270164

gerritbot added a comment.Feb 12 2016, 3:58 PM

Change 270165 merged by jenkins-bot:
Added a v3 call to get projects for a given user.

https://gerrit.wikimedia.org/r/270165

gerritbot added a comment.Feb 12 2016, 3:59 PM

Change 268325 merged by Andrew Bogott:
Switch keystone to mysql assignment from ldap.

https://gerrit.wikimedia.org/r/268325

chasemp subscribed.Feb 12 2016, 4:04 PM
gerritbot added a comment.Feb 12 2016, 4:34 PM

Change 270169 merged by Andrew Bogott:
Update admin_project_id in the keystone config

https://gerrit.wikimedia.org/r/270169

Andrew added a comment.Feb 14 2016, 12:02 AM

This migration is done, and was followed by half a dozen OSM patches to mop up bugs and improve performance.

Andrew closed subtask T126765: Lock down access for new keystone role model as Resolved.Feb 15 2016, 8:44 PM
ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-03-01_(1.27.0-wmf.15)).Feb 16 2016, 6:02 PM
Andrew closed this task as Resolved.Mar 31 2016, 8:55 PM
Andrew removed a subtask: T126758: Clean up after ldap->mysql keystone migration.

This is all done except for cleaning up leftover ldap junk.

Andrew merged a task: T100213: Move tenant management out of ldap (after Kilo but before Mitaka).Nov 4 2016, 3:32 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits