Page MenuHomePhabricator

Move project membership/assignment from ldap to keystone mysql
Closed, ResolvedPublic

Description

The keystone folks have decided to deprecate project membership via ldap. This wasn't supposed to happen until M but in truth the v3 api is totally broken for this so we probably need to move sooner.

How, then, will pam/ssh determine project membership? I don't know.

the transition is described here:

https://openstack.nimeyo.com/29408/openstack-keystone-deprecation-assignment-project-assignment

And a tentative roadmap is here:

https://wikitech.wikimedia.org/wiki/Labs_keystone_roles#Steps

Details

Related Gerrit Patches:
operations/puppet : productionUpdate admin_project_id in the keystone config
operations/puppet : productionSwitch keystone to mysql assignment from ldap.
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13Added a v3 call to get projects for a given user.
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13Add a keystone v3 call to determine role membership.
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13Added migration tool to adopt keystone-based projects and role assignment
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13Modify projects and roles using keystone calls
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13memberDNs should be based off the userid, not the username.
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13Update OpenStackNovaUser to use proper OpenStackNovaProject calls
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13Distinguish between project names and project IDs
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13Keep track of roleids as a separate thing from rolenames
mediawiki/extensions/OpenStackManager : wmf/1.27.0-wmf.13Get projects and membership via the keystone api
mediawiki/extensions/OpenStackManager : mastermemberDNs should be based off the userid, not the username.
mediawiki/extensions/OpenStackManager : masterAdded a v3 call to get projects for a given user.
mediawiki/extensions/OpenStackManager : masterAdd a keystone v3 call to determine role membership.
mediawiki/extensions/OpenStackManager : masterAdded migration tool to adopt keystone-based projects and role assignment
mediawiki/extensions/OpenStackManager : masterModify projects and roles using keystone calls
mediawiki/extensions/OpenStackManager : masterUpdate OpenStackNovaUser to use proper OpenStackNovaProject calls
mediawiki/extensions/OpenStackManager : masterDistinguish between project names and project IDs
mediawiki/extensions/OpenStackManager : masterKeep track of roleids as a separate thing from rolenames
mediawiki/extensions/OpenStackManager : masterGet projects and membership via the keystone api
operations/puppet : productionSpecify wgOpenStackManagerProjectId in WikitechPrivateSettings.php
operations/puppet : productionDefine wgOpenStackManagerProject
mediawiki/extensions/OpenStackManager : masterAdd legacy ldap-based files for handline project information.

Event Timeline

Andrew created this task.Oct 8 2015, 4:55 PM
Andrew claimed this task.
Andrew raised the priority of this task from to Medium.
Andrew updated the task description. (Show Details)
Andrew added subscribers: gerritbot, Andrew, Aklapper and 2 others.
Krenair set Security to None.

How, then, will pam/ssh determine project membership? I don't know.

Nova API?

revi edited subscribers, added: revi; removed: gerritbot.Oct 9 2015, 11:49 AM
Andrew removed Andrew as the assignee of this task.Nov 16 2015, 5:50 PM
Andrew claimed this task.Jan 27 2016, 12:12 AM
Andrew updated the task description. (Show Details)Jan 27 2016, 12:15 AM

Change 267192 had a related patch set uploaded (by Andrew Bogott):
Define wgOpenStackManagerProject

https://gerrit.wikimedia.org/r/267192

Change 252615 had a related patch set uploaded (by Andrew Bogott):
WIP: get project and membership information via the keystone api

https://gerrit.wikimedia.org/r/252615

Change 267192 merged by Andrew Bogott:
Define wgOpenStackManagerProject

https://gerrit.wikimedia.org/r/267192

Change 267789 had a related patch set uploaded (by Andrew Bogott):
Add legacy ldap-based files for handline project information.

https://gerrit.wikimedia.org/r/267789

Change 268325 had a related patch set uploaded (by Andrew Bogott):
Switch keystone to mysql assignment from ldap.

https://gerrit.wikimedia.org/r/268325

Change 268832 had a related patch set uploaded (by Andrew Bogott):
Keep track of roleids as a separate thing from rolenames.

https://gerrit.wikimedia.org/r/268832

Change 268833 had a related patch set uploaded (by Andrew Bogott):
Attempt to distinguish between project names and project IDs.

https://gerrit.wikimedia.org/r/268833

Change 268834 had a related patch set uploaded (by Andrew Bogott):
Modify projects and roles using keystone calls.

https://gerrit.wikimedia.org/r/268834

Change 268835 had a related patch set uploaded (by Andrew Bogott):
Update OpenStackNovaUser to use proper OpenStackNovaProject calls.

https://gerrit.wikimedia.org/r/268835

Change 268836 had a related patch set uploaded (by Andrew Bogott):
Added migration tool to adopt keystone-based project assignment

https://gerrit.wikimedia.org/r/268836

Change 267789 merged by jenkins-bot:
Add legacy ldap-based files for handline project information.

https://gerrit.wikimedia.org/r/267789

Change 268927 had a related patch set uploaded (by Andrew Bogott):
Specify wgOpenStackManagerProjectId in WikitechPrivateSettings.php

https://gerrit.wikimedia.org/r/268927

Change 268927 merged by Andrew Bogott:
Specify wgOpenStackManagerProjectId in WikitechPrivateSettings.php

https://gerrit.wikimedia.org/r/268927

Andrew added a comment.EditedFeb 8 2016, 7:19 PM
  • create roles on labcontrol1001 export OS_SERVICE_ENDPOINT="http://labcontrol1001.wikimedia.org:35357/v2.0" keystone --os-token <admin_token> role-create --name admin keystone --os-token <admin_token> role-create --name projectadmin keystone --os-token <admin_token> role-create --name user
  • add novaadmin to admin role on labcontrol1001 export OS_SERVICE_ENDPOINT="http://labcontrol1001.wikimedia.org:35357/v2.0" keystone --os-token <admin_token> user-role-add --user novaadmin --role admin --tenant admin keystone --os-token <admin_token> user-role-add --user novaadmin --role admin --tenant testlabs
  • run migration script on silver mwscript extensions/OpenStackManager/maintenance/migrateLdapAssignmentToKeystone.php --wiki=labswiki (about 20 minutes)
  • enable logins remove unset( $wgSpecialPages['UserLogin'] ); in wikitech.php
  • remove sitenotice
  • test:
    • check user and projectadmin lists
    • check user and projectadmin addition and removal, verify that rights are enforced properly by wikitech
    • verify that ldap groups are set properly and the ssh access still works when it should, and doesn't when it shouldn't
    • test new project creation and deletion, instance creation, access to new instance.
    • Bonus tests: check behavior of 'user' and 'projectadmin' role members on horizon. Both will surely be screwed up; if 'user' rights are too permissive, lock down horizon for now.
Andrew added a comment.Feb 8 2016, 7:26 PM

to revert, roll back all patches, reset all caches, and truncate keystone tables: assignment, project, role.

Andrew added a comment.Feb 9 2016, 4:55 AM

labtestwikitech.wikimedia.org now reflects the end of the above process (plus one additional patch that can be merged at any time, https://gerrit.wikimedia.org/r/#/c/269363/

Change 269564 had a related patch set uploaded (by Andrew Bogott):
Add a keystone v3 call to determine role membership.

https://gerrit.wikimedia.org/r/269564

Change 269565 had a related patch set uploaded (by Andrew Bogott):
Added a v3 call to get projects for a given user.

https://gerrit.wikimedia.org/r/269565

scfc added a subscriber: scfc.Feb 11 2016, 7:51 PM

How, then, will pam/ssh determine project membership? I don't know.

Nova API?

I'd like to be sure to have understood this: In the future, OpenStackManager will be a frontend for Keystone (which handles OpenStack users/projects). Keystone will sync changes to its data to the existing LDAP server. This LDAP server is queried (as before) by pam/ssh. Correct?

@scfc, that is almost correct. Certain ldap entries (the groups used by pam/ssh) will remain as before. Other ldap entries (those used only as the keystone backend, specifically roles and project membership) will no longer be updated, and will get pruned out eventually.

The complete story is here: https://wikitech.wikimedia.org/wiki/Labs_keystone_roles

Change 252615 merged by jenkins-bot:
Get projects and membership via the keystone api

https://gerrit.wikimedia.org/r/252615

Change 268832 merged by jenkins-bot:
Keep track of roleids as a separate thing from rolenames

https://gerrit.wikimedia.org/r/268832

Change 268833 merged by jenkins-bot:
Distinguish between project names and project IDs

https://gerrit.wikimedia.org/r/268833

Change 268835 merged by jenkins-bot:
Update OpenStackNovaUser to use proper OpenStackNovaProject calls

https://gerrit.wikimedia.org/r/268835

Change 270136 had a related patch set uploaded (by Andrew Bogott):
memberDNs should be based off the userid, not the username.

https://gerrit.wikimedia.org/r/270136

Change 268834 merged by jenkins-bot:
Modify projects and roles using keystone calls

https://gerrit.wikimedia.org/r/268834

Change 268836 merged by jenkins-bot:
Added migration tool to adopt keystone-based projects and role assignment

https://gerrit.wikimedia.org/r/268836

Change 269564 merged by jenkins-bot:
Add a keystone v3 call to determine role membership.

https://gerrit.wikimedia.org/r/269564

Change 269565 merged by jenkins-bot:
Added a v3 call to get projects for a given user.

https://gerrit.wikimedia.org/r/269565

Change 270136 merged by jenkins-bot:
memberDNs should be based off the userid, not the username.

https://gerrit.wikimedia.org/r/270136

Change 270157 had a related patch set uploaded (by Andrew Bogott):
Get projects and membership via the keystone api

https://gerrit.wikimedia.org/r/270157

Change 270158 had a related patch set uploaded (by Andrew Bogott):
Keep track of roleids as a separate thing from rolenames

https://gerrit.wikimedia.org/r/270158

Change 270159 had a related patch set uploaded (by Andrew Bogott):
Distinguish between project names and project IDs

https://gerrit.wikimedia.org/r/270159

Change 270160 had a related patch set uploaded (by Andrew Bogott):
Update OpenStackNovaUser to use proper OpenStackNovaProject calls

https://gerrit.wikimedia.org/r/270160

Change 270161 had a related patch set uploaded (by Andrew Bogott):
memberDNs should be based off the userid, not the username.

https://gerrit.wikimedia.org/r/270161

Change 270162 had a related patch set uploaded (by Andrew Bogott):
Modify projects and roles using keystone calls

https://gerrit.wikimedia.org/r/270162

Change 270163 had a related patch set uploaded (by Andrew Bogott):
Added migration tool to adopt keystone-based projects and role assignment

https://gerrit.wikimedia.org/r/270163

Change 270164 had a related patch set uploaded (by Andrew Bogott):
Add a keystone v3 call to determine role membership.

https://gerrit.wikimedia.org/r/270164

Change 270165 had a related patch set uploaded (by Andrew Bogott):
Added a v3 call to get projects for a given user.

https://gerrit.wikimedia.org/r/270165

Change 270169 had a related patch set uploaded (by Andrew Bogott):
Update admin_project_id in the keystone config

https://gerrit.wikimedia.org/r/270169

Change 270157 merged by jenkins-bot:
Get projects and membership via the keystone api

https://gerrit.wikimedia.org/r/270157

Change 270158 merged by jenkins-bot:
Keep track of roleids as a separate thing from rolenames

https://gerrit.wikimedia.org/r/270158

Change 270159 merged by jenkins-bot:
Distinguish between project names and project IDs

https://gerrit.wikimedia.org/r/270159

Change 270160 merged by jenkins-bot:
Update OpenStackNovaUser to use proper OpenStackNovaProject calls

https://gerrit.wikimedia.org/r/270160

Change 270161 merged by jenkins-bot:
memberDNs should be based off the userid, not the username.

https://gerrit.wikimedia.org/r/270161

Change 270162 merged by jenkins-bot:
Modify projects and roles using keystone calls

https://gerrit.wikimedia.org/r/270162

Change 270163 merged by jenkins-bot:
Added migration tool to adopt keystone-based projects and role assignment

https://gerrit.wikimedia.org/r/270163

Change 270164 merged by jenkins-bot:
Add a keystone v3 call to determine role membership.

https://gerrit.wikimedia.org/r/270164

Change 270165 merged by jenkins-bot:
Added a v3 call to get projects for a given user.

https://gerrit.wikimedia.org/r/270165

Change 268325 merged by Andrew Bogott:
Switch keystone to mysql assignment from ldap.

https://gerrit.wikimedia.org/r/268325

Change 270169 merged by Andrew Bogott:
Update admin_project_id in the keystone config

https://gerrit.wikimedia.org/r/270169

This migration is done, and was followed by half a dozen OSM patches to mop up bugs and improve performance.

Andrew closed this task as Resolved.Mar 31 2016, 8:55 PM

This is all done except for cleaning up leftover ldap junk.