OpenStack Identity (keystone)

Bug #1711883
Comment #2

Comment 2 for bug 1711883

Revision history for this message

Lei Lei (leilei) wrote on 2017-08-21: Re: A logic error in function get_user_unique_id_and_display_name()

Thanks for asking, Lance.
Yep. The steps are used to create SSO (Single Sign on) for using Google Account to login on OpenStack.
The steps seem not a few. They are as below.

[Environment] CentOS 7.3

1. Login on "Google Developers Console", and set up your own project, which is a "web application".
   Note:
   1> After the project is created successfully, write down the "client ID" and "client secret". They will be used later.
   2> Set "http://demo.sso.org:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect" to "the authorized redirected URL"

2. Set up a PackStack.

3. Run the commands below in the PackStack:

   source ~/keystonerc_admin
   openstack group create --domain default --description "Federation User Group" federation_group
   openstack project create --domain default --description "Federation Demo Project" federation_demo_project
   openstack role add --domain default --group federation_group admin
   openstack role add --project federation_demo_project --group federation_group admin
   openstack identity provider create google --remote-id https://accounts.google.com

   cat > /tmp/google-mapping-rules.json <<EOF
[
    {
        "local": [
            {
                "group": {
                    "id": "xxx" # Note, this is the group id created by the second command above
                }
            }
        ],

        "remote": [
            {
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [
                    "https://accounts.google.com"
                ]
            }
        ]
    }
]
EOF

openstack mapping create google-idp-mapping --rules ./google-mapping-rules.json
openstack federation protocol create oidc --identity-provider google --mapping google-idp-mapping

4. Append/Add the following to the proper section of /etc/keystone.conf

    [auth]
    # Allowed authentication methods. (list value)
    methods = external,password,token,oauth1,oidc
    oidc = keystone.auth.plugins.mapped.Mapped

    [federation]
    # Value to be used to obtain the entity ID of the Identity Provider from the
    # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
    # Provider`). (string value)
    remote_id_attribute = HTTP_OIDC_ISS
    trusted_dashboard = http://demo.sso.org/dashboard/auth/websso/

5. Install mod_auth_openidc module for Apache
Commands are like below:

    wget https://github.com/pingidentity/mod_auth_openidc/releases/download/v2.3.0/cjose-0.5.1-1.el7.centos.x86_64.rpm
    wget https://github.com/pingidentity/mod_auth_openidc/releases/download/v2.3.0/mod_auth_openidc-2.3.0-1.el7.centos.x86_64.rpm
    wget http://springdale.math.ias.edu/data/puias/unsupported/6/x86_64/hiredis-0.12.1-1.sdl6.x86_64.rpm

    yum localinstall -y ./cjose-0.5.1-1.el7.centos.x86_64.rpm
    yum localinstall -y ./hiredis-0.12.1-1.sdl6.x86_64.rpm
    yum localinstall -y ./mod_auth_openidc-2.3.0-1.el7.centos.x86_64.rpm

6. Add the following content to /etc/httpd/conf.d/10-keystone_wsgi_main.conf

<VirtualHost *:5000>
...

        OIDCClaimPrefix "OIDC-"
        OIDCResponseType "id_token"
        OIDCScope "openid email profile"
        OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
        OIDCClientID 414761336251-rd0s8re8lof053658g0eaphlho82kutv.apps.googleusercontent.com
        OIDCClientSecret oofUOIsUaGcqXb-i9Wy-zLKG
        OIDCCryptoPassphrase openstack
        OIDCRedirectURI http://demo.sso.org:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
        <Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
            AuthType openid-connect
            Require valid-user
            LogLevel debug
        </Location>

...
</VirtualHost>

7. Append the following to /etc/openstack-dashboard/local_settings

8. Run:
systemctl restart httpd

9. Configure the hosts file your laptop (the client to access OpenStack)
For example, if it's Windows, then modify C:\Windows\System32\drivers\etc\hosts
Add the following line:

<the OpenStack Controller node IP> demo.sso.org

10. Use your favourate web browser to access http://demo.sso.org

Then, keep watching /var/log/keystone/keystone.log, you will find a KeyError about user['name'] will be raised when you try to access OpenStack via your Google account.

Thanks for asking, Lance. 
Yep. The steps are used to create SSO (Single Sign on) for using Google Account to login on OpenStack. 
The steps seem not a few. They are as below.

[Environment] CentOS 7.3

1. Login on "Google Developers Console", and set up your own project, which is a "web application". 
   Note: 
   1> After the project is created successfully, write down the "client ID" and "client secret". They will be used later. 
   2> Set "http://demo.sso.org:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect" to "the authorized redirected URL"
   
2. Set up a PackStack.

3. Run the commands below in the PackStack: 
   
   source ~/keystonerc_admin
   openstack group create --domain default --description "Federation User Group" federation_group
   openstack project create --domain default --description "Federation Demo Project" federation_demo_project
   openstack role add --domain default --group federation_group admin
   openstack role add --project federation_demo_project --group federation_group admin
   openstack identity provider create google --remote-id https://accounts.google.com
   
   cat > /tmp/google-mapping-rules.json <<EOF
[
    {
        "local": [
            {
                "group": {
                    "id": "xxx"  # Note, this is the group id created by the second command above
                }
            }
        ],
 
        "remote": [
            {
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [
                    "https://accounts.google.com"
                ]
            }
        ]
    }
]
EOF

openstack mapping create google-idp-mapping --rules ./google-mapping-rules.json
   openstack federation protocol create oidc --identity-provider google --mapping google-idp-mapping
   
4. Append/Add the following to the proper section of /etc/keystone.conf

[auth]
    # Allowed authentication methods. (list value)
    methods = external,password,token,oauth1,oidc
    oidc = keystone.auth.plugins.mapped.Mapped

5. Install mod_auth_openidc module for Apache
   Commands are like below: 
   
    wget https://github.com/pingidentity/mod_auth_openidc/releases/download/v2.3.0/cjose-0.5.1-1.el7.centos.x86_64.rpm
    wget https://github.com/pingidentity/mod_auth_openidc/releases/download/v2.3.0/mod_auth_openidc-2.3.0-1.el7.centos.x86_64.rpm
    wget http://springdale.math.ias.edu/data/puias/unsupported/6/x86_64/hiredis-0.12.1-1.sdl6.x86_64.rpm

yum localinstall -y ./cjose-0.5.1-1.el7.centos.x86_64.rpm
    yum localinstall -y ./hiredis-0.12.1-1.sdl6.x86_64.rpm
    yum localinstall -y ./mod_auth_openidc-2.3.0-1.el7.centos.x86_64.rpm
    
6. Add the following content to /etc/httpd/conf.d/10-keystone_wsgi_main.conf

<VirtualHost *:5000>
        ...
        
        OIDCClaimPrefix "OIDC-"
        OIDCResponseType "id_token"
        OIDCScope "openid email profile"
        OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
        OIDCClientID 414761336251-rd0s8re8lof053658g0eaphlho82kutv.apps.googleusercontent.com
        OIDCClientSecret oofUOIsUaGcqXb-i9Wy-zLKG
        OIDCCryptoPassphrase openstack
        OIDCRedirectURI http://demo.sso.org:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
        <Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
            AuthType openid-connect
            Require valid-user
            LogLevel debug
        </Location>
        
        ...
    </VirtualHost> 
    
7. Append the following to /etc/openstack-dashboard/local_settings

# Enables keystone web single-sign-on if set to True.
    WEBSSO_ENABLED = True
    WEBSSO_CHOICES = (
     ("credentials", _("Keystone Credentials")),
     ("oidc", _("OpenID Connect"))
    )
    WEBSSO_INITIAL_CHOICE = "credentials"
    
8. Run: 
    systemctl restart httpd
    
9. Configure the hosts file your laptop (the client to access OpenStack)
   For example, if it's Windows, then modify C:\Windows\System32\drivers\etc\hosts 
   Add the following line:
   
   <the OpenStack Controller node IP>  demo.sso.org

10. Use your favourate web browser to access http://demo.sso.org

Then, keep watching /var/log/keystone/keystone.log, you will find a KeyError about user['name'] will be raised when you try to access OpenStack via your Google account.