OpenStack Credentials: support Keystone application credentials

Yes, we should support it.

I am going through the gap analysis - what authenticate mechanisms Juju supports for each cloud and what mechanisms the clouds themselves support.

I'll add it to our wishist for prioritization.

Thanks for triaging!

This was raised by external users today at the Charm Summit. We should look to move this forward when possible.

Had same issue with a customer: they use SAML integration for users and application credential to run API calls through any automation and juju cannot offer it.

Here is a trace from bootstrapping with application credentials:
https://pastebin.canonical.com/p/XyzJrBkW9g/

The most interesting part of that log is:
10:31:50 DEBUG cmd supercommand.go:519 error stack:
authentication failed
caused by: requesting token failed
caused by: Resource at https://<REDACTED>/v3/tokens not found
caused by: request (https://<REDACTED>/v3/tokens) returned unexpected status: 404; error info: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

/build/juju/parts/juju/go/src/github.com/juju/juju/provider/openstack/provider.go:916: authentication failed.
/build/juju/parts/juju/go/src/github.com/juju/juju/environs/bootstrap/prepare.go:133:
/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/juju/commands/bootstrap.go:735:

For some reason, Juju is searching on: https://<REDACTED>/v3/tokens instead of: https://<REDACTED>/v3/auth/tokens
Which is the rule for bionic-stein clouds.

Manually adding "auth/" does not resolve the issue.

As a end user we use SAML for horizon GUI and Application credentials for CLI and api access.
This option is a must as it allows for better security in not having a a users details inside a juju config. it also allows for if a breach does happen it can be disabled with out breaking other service that use the api.

I would really suggest that this be raised as a higher priority as it offers so much to help the end user with security and easier deployment.

~field-medium subscribed

@pguimaraes,

Which version of juju is this?

What do your juju credentials for this openstack look like? What commands did you use to setup the juju credentials for this openstack?

Juju supports openstack identity v3, and will use the auth/tokens if it understands that v3 is in use.

The ability to authenticate against a cloud with WebSSO seems to be a missing feature in juju. We have a k8s cloud with Keystone for account mgmt with SAML for WebSSO. We can authenticate to the k8s api server using kubectl and the client-go credential plugins.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins

This feature uses the Keystone app credentials to retrieve a limited-lifetime token for use with the K8s api server. It relies on an external app that uses the keystone app credentials to retrieve the token and present it to kubectl. This is necessary since our Keystone doesn't store user credentials. It only issues app credentials. Furthermore, k8s doesn't work with the application credentials directly, rather it validates a token issued by keystone (and derived from the app creds).

For juju:

$ juju --version
3.0.3-genericlinux-amd64

Kubectl against our cluster works just fine:

$ kubectl get pods
NAME READY STATUS RESTARTS AGE
hello-world-699cdf74dc-fnjzk 1/1 Running 0 17d
...

The kubectl config directs kubectl to get it's token via an external app. From the user section of the kube config:

users:
- name: username
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args: null
      command: ./app_cred_auth.sh
      env: null
      interactiveMode: Never
      provideClusterInfo: false

The app_cred_auth.sh script uses the Keystone app credentials to retreive a token:

curl -s -i -H "Content-Type: application/json" -d "${data}" "${OS_AUTH_URL}/auth/tokens"

The token is the present to k8s api server to interact with k8s.

Juju needs to do something similar to get a token by way of the app credentials, rather than trying to use the app credentials directly.

My app credentials are loaded in my environment.

$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_INTERFACE=public
OS_AUTH_URL=https://keystone:5000/v3
OS_APPLICATION_CREDENTIAL_SECRET=<secret>
OS_APPLICATION_CREDENTIAL_ID=<id>
OS_AUTH_TYPE=v3applicationcredential
OS_IDENTITY_API_VERSION=3

When juju attempts to detect and load these credentials it complains that it can't understand the user stanza in the kubectl config file:

$ juju autoload-credentials
This operation can be applied to both a copy on this client and to the one on a controller.
No current controller was detected and there are no registered controllers on this client: either bootstrap one or register one.

Looking for cloud and credential information on local client...
ERROR could not detect credentials for provider "kubernetes": failed to read credentials from kubernetes config: configuration for "username" not supported