Right now the project-proxy API is secured with firewall rules. It should check Keystone tokens like any other openstack service.
Description
Description
Details
Details
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | taavi | T295246 Dynamicproxy API should be useful without the Horizon dashboard | |||
| Resolved | taavi | T295234 Add keystone auth for dynamicproxy api | |||
| Resolved | taavi | T295235 Update project-proxy proxies to Debian Bullseye | |||
| Resolved | taavi | T295245 Request increased quota for project-proxy Cloud VPS project | |||
| Resolved | taavi | T296105 Support keystone auth for openstack-browser when accessing the dynamic proxy api |
Event Timeline
Comment Actions
We need to package https://github.com/Rackspace-DOT/flask_keystone (and its dependency https://github.com/Rackspace-DOT/flask_oslolog) as Debian packages for this to work easily.
Comment Actions
Change 737856 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] aptrepo: add component for rackspace openstack debs
Comment Actions
Change 739577 had a related patch set uploaded (by Majavah; author: Majavah):
[openstack/horizon/wmf-proxy-dashboard@master] views: use keystone for proxy requests
Comment Actions
Change 737856 abandoned by Majavah:
[operations/puppet@production] aptrepo: add component for rackspace openstack debs
Reason:
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2021-11-18T11:07:09Z] <arturo> added python-flask-oslolog_0.1~git20201012.7803a46-1 to bullseye-wikimedia (T295234)
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2021-11-18T11:26:10Z] <arturo> aborrero@apt1001:~$ sudo -i reprepro processincoming default /srv/wikimedia/incoming/python-flask-keystone_0.2~git20201012.b5cd4da-1_amd64.changes (T295234)
Comment Actions
Change 739902 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Keystone policy: add support for the keystonevalidate role
Comment Actions
Change 739902 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] Keystone policy: add support for the keystonevalidate role
Comment Actions
Change 739577 merged by Andrew Bogott:
[openstack/horizon/wmf-proxy-dashboard@master] views: use keystone for proxy requests
Comment Actions
Change 740225 had a related patch set uploaded (by Andrew Bogott; author: Majavah):
[openstack/horizon/wmf-proxy-dashboard@main] views: use keystone for proxy requests
Comment Actions
Change 740226 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] dynamicproxy: add keystone authentication
Comment Actions
Change 740225 merged by Andrew Bogott:
[openstack/horizon/wmf-proxy-dashboard@main] views: use keystone for proxy requests
Comment Actions
Change 740227 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[openstack/horizon/deploy@main] Update wmf-proxy-dashboard submodule: use Keystone auth for proxy editing
Comment Actions
Change 740227 merged by Andrew Bogott:
[openstack/horizon/deploy@main] Update wmf-proxy-dashboard submodule: use Keystone auth for proxy editing
Comment Actions
Change 740226 merged by Andrew Bogott:
[operations/puppet@production] dynamicproxy: add keystone token verification
Comment Actions
Keystone tokens are now being verified. Next step is to add support for per-project RBAC policy.
Comment Actions
Change 740306 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] opentack: add keystone auth to remaining proxy api users
Comment Actions
Change 740306 merged by Andrew Bogott:
[operations/puppet@production] opentack: add keystone auth to remaining proxy api users
Comment Actions
Change 748171 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] dynamicproxy: enforce project permissions
Comment Actions
Change 748171 merged by Andrew Bogott:
[operations/puppet@production] dynamicproxy: enforce project permissions
Comment Actions
Closing, this is done now. Remaining steps for opening up the API access are tracked in T295246.