Allow pushing user-allocation membership to Keycloak#249
Allow pushing user-allocation membership to Keycloak#249QuanMPhm wants to merge 1 commit intonerc-project:mainfrom
Conversation
|
|
||
| def get_user_id(self, cf_username) -> str | None: | ||
| """Return None if user not found""" | ||
| # TODO (Quan): Confirm that Coldfront usernames map to Keycloak emails, not email, or something else? |
There was a problem hiding this comment.
@QuanMPhm Coldfront usernames map to Keycloak usernames, not emails.
src/coldfront_plugin_cloud/tests/functional/openshift/test_allocation.py
Outdated
Show resolved
Hide resolved
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
9a53156 to
d7da5c4
Compare
|
@knikolla Two more questions:
|
src/coldfront_plugin_cloud/tests/functional/openshift/test_allocation.py
Outdated
Show resolved
Hide resolved
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
d7da5c4 to
3b80589
Compare
|
@knikolla I've addressed your comments except one. Also, do you have responses to these questions? |
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
3b80589 to
cb1d628
Compare
| def assign_role_on_user(self, username, project_id): | ||
| self.kc_admin_client.create_group(project_id) | ||
| if user_id := self.kc_admin_client.get_user_id(username): | ||
| group_id = self.kc_admin_client.get_group_id(project_id) | ||
| self.kc_admin_client.add_user_to_group(user_id, group_id) | ||
| else: | ||
| logger.warning( | ||
| f"User {username} not found in Keycloak, cannot add to group." | ||
| ) | ||
|
|
||
| def remove_role_from_user(self, username, project_id): | ||
| user_id = self.kc_admin_client.get_user_id(username) | ||
| group_id = self.kc_admin_client.get_group_id(project_id) | ||
| self.kc_admin_client.remove_user_from_group(user_id, group_id) | ||
|
|
There was a problem hiding this comment.
@knikolla @naved001 The Openstack functional tests are failing because the plugin tries to add the coldfront-swift-init user to Openstack projects. The user is added to the cluster proejct, but since they're not registered on Keycloak, they're not added to the Keycloak group. This causes remove_role_from_user() in src/coldfront_plugin_cloud/base.py to raise an 404 error when it uses the Keycloak API to add a non-existant user to a group.
This can be resolved if we allow remove_role_from_user() to ignore if the user is not found, which was the agreed behavior for assign_role_on_user(). Is that acceptable?
|
@QuanMPhm please resolve conflicts. Are there any questions that I missed answering? |
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
2 times, most recently
from
a217f31 to
0358cb7
Compare
A Keycloak admin client has been added When `activate_allocation` is called, the user is added to a Keycloak group named after the project ID on the remote cluster. If the user does not already exist in Keycloak, the case is ignored for now Authentication to Keycloak is done via client credentials grant When `deactivate_allocation` is called, the user is removed from the Keycloak group Unit tests have been updated to remove dependancy on Keycloak A comment in `validate_allocations` has been updated to reflect the more restrictive validation behavior, where users on cluster projects will be removed if they are not part of the Coldfront allocation (rather than if they are not registered on Coldfront at all). This is relevant for functional tests for this new feature.
QuanMPhm
force-pushed
the
ops_948/auth_kc
branch
from
0358cb7 to
8fc4ea6
Compare
| # Role already exists, ignore | ||
| pass | ||
|
|
||
| super().assign_role_on_user(username, project_id) |
There was a problem hiding this comment.
Instead of the resource allocators, I think this should be handled in
| return user | ||
|
|
||
| def assign_role_on_user(self, username, project_id): | ||
| self.kc_admin_client.create_group(project_id) |
There was a problem hiding this comment.
Instead of using the group ID, how about introducing a new Resource Attribute to Resources that accepts a format string. For example defaulting to "{resource_name}/{project_name}"
This would allow operator to specify their own format for group names for the clusters.
So you'd read the resource attribute and then call format on the string providing a few documented options for the available variables.
>>> template = "{resource_name}/{project_name}"
>>> group = template.format(**{"resource_name": "NERC-OCP", "project_name": "1234"}
... )
>>>
>>> group
'NERC-OCP/1234'
knikolla
left a comment
knikolla
left a comment
There was a problem hiding this comment.
Did a quick first pass and provided some comments.
Also this needs to be possible configurable via a setting.
|
@QuanMPhm Actually, another thought, do you think it would make sense to implement this in the Keycloak plugin? https://github.com/nerc-project/coldfront-plugin-keycloak It could listen to signals in the same way that the cloud plugin listens to signals. It already has a keycloak client implemented. And there is nothing in pushing users to a Keycloak group that is specific to either OpenShift or OpenStack. |
|
@knikolla I see that it does make sense to seperate the Keycloak functionality from the rest of the plugin. It makes sense to me. I forgot that repo existed. There would need to be some overhaul to add integration and unit tests to |
For now let's keep it here (as not to frontload the work) and we can easily split it out later if needed. Perhaps try implementing it here via signals so as to keep it loosely coupled so that if we need to split it later it doesn't require a lot of uncoupling. |
2 participants
Closes nerc-project/operations#948. More details in the commit message
There are still some questions I have below, so this is still a draft for now.