yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1805817] [NEW] provide a 'whoami' service for authenticated users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Robert Duncan <rduncan@xxxxxxxx>
Date: Thu, 29 Nov 2018 11:13:17 -0000
Reply-to: Bug 1805817 <1805817@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

It would be very helpful if keystone could provide a 'whoami' service to
users and other projects, for example for building clouds.yaml and
openstackrc files to horizon interface / openstack client and API users

openstack user show admin
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 22b8b60e6***************b |
| name                | admin                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

This is not very useful. - and I need a working RC file to get this far!
Federated users have to build their own clouds.yaml and need to find out fairly low level details from multiple systems for example with a SAML user:

-os-auth-type v3samlpassword
--os-identity-provider <name of ido in keystone>
--os-identity-provider-url <ECP endpoint>
--os-protocol saml2
--os-username <federated username>
--os-password
--os-auth-url http://sp.keystone:5000/v3
--os-project-name demo
--os-project-domain-name Default
--os-identity-api-versione 3

I logged this with the horizon team, who suggested I log it here.
Currently Horizon builds environment variables for users in a static way, it's quite messy and will only ever work for manual users

export OS_AUTH_URL=
# With the addition of Keystone we have standardized on the term **project**
# as the entity that owns the resources.
export OS_PROJECT_ID=
export OS_PROJECT_NAME=
export OS_USER_DOMAIN_NAME=
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="default"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
# unset v2.0 items in case set
unset OS_TENANT_ID
unset OS_TENANT_NAME
# In addition to the owning entity (tenant), OpenStack stores the entity
# performing the action as the **user**.
export OS_USERNAME=
# With Keystone you pass the keystone password.
echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
# If your configuration has multiple regions, we set that information here.
# OS_REGION_NAME is optional and only valid in certain environments.
export OS_REGION_NAME="RegionOne"
# Don't leave a blank variable, unset it if it was empty
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=
export OS_IDENTITY_API_VERSION=

It's quite ironic given that keystone is a discovery service too ;-)


here's the original bug on Horizon
https://bugs.launchpad.net/horizon/+bug/1795851

and this is an abomination :-/
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/api_access/templates/api_access/openrc.sh.template

thanks!


.....I love keystone

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1805817

Title:
  provide a 'whoami' service for authenticated users

Status in OpenStack Identity (keystone):
  New

Bug description:
  It would be very helpful if keystone could provide a 'whoami' service
  to users and other projects, for example for building clouds.yaml and
  openstackrc files to horizon interface / openstack client and API
  users

  openstack user show admin
  +---------------------+----------------------------------+
  | Field               | Value                            |
  +---------------------+----------------------------------+
  | domain_id           | default                          |
  | enabled             | True                             |
  | id                  | 22b8b60e6***************b |
  | name                | admin                            |
  | options             | {}                               |
  | password_expires_at | None                             |
  +---------------------+----------------------------------+

  This is not very useful. - and I need a working RC file to get this far!
  Federated users have to build their own clouds.yaml and need to find out fairly low level details from multiple systems for example with a SAML user:

  -os-auth-type v3samlpassword
  --os-identity-provider <name of ido in keystone>
  --os-identity-provider-url <ECP endpoint>
  --os-protocol saml2
  --os-username <federated username>
  --os-password
  --os-auth-url http://sp.keystone:5000/v3
  --os-project-name demo
  --os-project-domain-name Default
  --os-identity-api-versione 3

  I logged this with the horizon team, who suggested I log it here.
  Currently Horizon builds environment variables for users in a static way, it's quite messy and will only ever work for manual users

  export OS_AUTH_URL=
  # With the addition of Keystone we have standardized on the term **project**
  # as the entity that owns the resources.
  export OS_PROJECT_ID=
  export OS_PROJECT_NAME=
  export OS_USER_DOMAIN_NAME=
  if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
  export OS_PROJECT_DOMAIN_ID="default"
  if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
  # unset v2.0 items in case set
  unset OS_TENANT_ID
  unset OS_TENANT_NAME
  # In addition to the owning entity (tenant), OpenStack stores the entity
  # performing the action as the **user**.
  export OS_USERNAME=
  # With Keystone you pass the keystone password.
  echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
  read -sr OS_PASSWORD_INPUT
  export OS_PASSWORD=$OS_PASSWORD_INPUT
  # If your configuration has multiple regions, we set that information here.
  # OS_REGION_NAME is optional and only valid in certain environments.
  export OS_REGION_NAME="RegionOne"
  # Don't leave a blank variable, unset it if it was empty
  if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
  export OS_INTERFACE=
  export OS_IDENTITY_API_VERSION=

  It's quite ironic given that keystone is a discovery service too ;-)

  
  here's the original bug on Horizon
  https://bugs.launchpad.net/horizon/+bug/1795851

  and this is an abomination :-/
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/api_access/templates/api_access/openrc.sh.template

  thanks!

  
  .....I love keystone

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1805817/+subscriptions
Follow ups

[Bug 1805817] Re: provide a 'whoami' service for authenticated users
From: Lance Bragstad, 2019-01-28