Page MenuHomePhabricator

Add keystone auth middleware to the puppet enc api
Open, MediumPublic

Description

Right now we secure the enc by limiting API access. Since this is primarily access by Horizon it should check Keystone tokens like any other openstack service.

Event Timeline

Andrew triaged this task as Medium priority.Mar 9 2021, 5:37 PM

This is likely easier if we use https://github.com/Rackspace-DOT/flask_keystone. It doesn't appear to be packaged for Debian, at least yet.

Change 778616 had a related patch set uploaded (by Majavah; author: Majavah):

[openstack/horizon/wmf-puppet-dashboard@main] cleanup and keystone auth support

https://gerrit.wikimedia.org/r/778616

Mentioned in SAL (#wikimedia-cloud) [2022-04-09T19:37:42Z] <taavi> add 'puppet-enc' service & endpoint to keystone T274666

Change 779899 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] openstack: make enc-cli authenticate via keystone

https://gerrit.wikimedia.org/r/779899

Change 781977 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] openstack: make wmf_sink authenticate to enc api via keystone

https://gerrit.wikimedia.org/r/781977

Change 781977 merged by Andrew Bogott:

[operations/puppet@production] openstack: make wmf_sink authenticate to enc api via keystone

https://gerrit.wikimedia.org/r/781977

Change 778616 merged by jenkins-bot:

[openstack/horizon/wmf-puppet-dashboard@main] cleanup and keystone auth support

https://gerrit.wikimedia.org/r/778616

Mentioned in SAL (#wikimedia-operations) [2022-04-20T14:55:13Z] <taavi@deploy1002> Started deploy [horizon/deploy@9d02cd6]: updating wmf-puppet-dashboard for keystone authentication support T274666 (eqiad1)

Mentioned in SAL (#wikimedia-operations) [2022-04-20T15:00:16Z] <taavi@deploy1002> Finished deploy [horizon/deploy@9d02cd6]: updating wmf-puppet-dashboard for keystone authentication support T274666 (eqiad1) (duration: 05m 03s)

Change 785110 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:openstack::encapi: add tls for write endpoint

https://gerrit.wikimedia.org/r/785110

Change 785128 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/private@master] add dummy password for cloudinfra token validator

https://gerrit.wikimedia.org/r/785128

Change 785134 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:openstack::encapi: add keystone token verification

https://gerrit.wikimedia.org/r/785134

Change 785128 merged by Andrew Bogott:

[labs/private@master] add dummy password for cloudinfra token validator

https://gerrit.wikimedia.org/r/785128

Change 785110 merged by Andrew Bogott:

[operations/puppet@production] P:openstack::encapi: add tls for write endpoint

https://gerrit.wikimedia.org/r/785110

Change 779899 merged by David Caro:

[operations/puppet@production] openstack: make enc-cli authenticate via keystone

https://gerrit.wikimedia.org/r/779899

Change 785134 merged by David Caro:

[operations/puppet@production] P:openstack::encapi: add keystone token verification

https://gerrit.wikimedia.org/r/785134

Change 792228 had a related patch set uploaded (by David Caro; author: David Caro):

[operations/puppet@production] Revert "P:openstack::encapi: add keystone token verification"

https://gerrit.wikimedia.org/r/792228

Change 792228 abandoned by David Caro:

[operations/puppet@production] Revert "P:openstack::encapi: add keystone token verification"

Reason:

The issue was fixed :)

https://gerrit.wikimedia.org/r/792228

[17:11]  <  mutante> openstack-browser stopped showing puppet classes and clicking other links seems slow / working sometimes. should I make a ticket or ongoing work?
[17:12]  <  mutante> f.e. https://openstack-browser.toolforge.org/puppetclass/ seems empty
[17:12]  <  mutante> I see backlog about outage on horizon. so maybe it's that then ack
[17:13]  <  mutante> ok, i'll just check in later again
[17:50]  <    bd808> mutante: I think we need a bug report for the openstack-browser things. I don't have time to dig in deeper at the moment, but it looks to me like the puppet-enc backend is now requiring auth even for browsing and that is making all the anon queries done by the tool fail. This is possibly unintended fallout of work taavi has been doing to add better auth to that puppet-enc service.
[17:51]  <    bd808> the app is doing things that are functionally `curl https://puppet-enc.cloudinfra.wmcloud.org:8143/v1/roles` -- https://phabricator.wikimedia.org/source/tool-keystone-browser/browse/master/keystone_browser/puppetclasses.py
[17:57]  <  mutante> bd808: ACK! will do that in a bit. thanks
[17:59]  <    taavi> that sounds like the most likely explanation, I thought I already migrated openstack-browser to use keystone authentication with puppet-enc :/
[18:00]  <    taavi> patches welcome, the proxies.py might have useful code you can almost copy-paste. otherwise will try to find some time to fix that soon-ish, but no promises due to irl priorities
[18:05]  <    bd808> *nod* looks like the `proxy_client` magic from https://phabricator.wikimedia.org/source/tool-keystone-browser/browse/master/keystone_browser/proxies.py is what puppetclasses.py also needs.

Change 792619 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] openstack: Make enc api enforce keystone policy

https://gerrit.wikimedia.org/r/792619

Change 792619 merged by Andrew Bogott:

[operations/puppet@production] openstack: Make enc api enforce keystone policy

https://gerrit.wikimedia.org/r/792619

Change 793524 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] openstack: encapi: add a custom error class

https://gerrit.wikimedia.org/r/793524

Change 793524 merged by Andrew Bogott:

[operations/puppet@production] openstack: encapi: add a custom error class

https://gerrit.wikimedia.org/r/793524