Closed joachimweyl closed 3 months ago
@jtriley, please provide @tzumainn the URL needed to transition to the NERC Keycloak
@joachimweyl this would be on the new MOC ESI, so there would be no migration needed. I believe @naved001 is handling the configuration in the new MOC ESI.
@tzumainn while @naved001 is away for 2 weeks is this something you have access to updating or is this something only he has access to?
Ah - I think I might be able to do it, but I'm not entirely familiar with the required mechanics (although I think I could get @DanNiESh to help). However, no one is currently live on the new MOC ESI, so is this a big priority at the moment?
Ah - I think I might be able to do it, but I'm not entirely familiar with the required mechanics (although I think I could get @DanNiESh to help). However, no one is currently live on the new MOC ESI, so is this a big priority at the moment?
I don't actually have NERC keycloak credentials or admin access. I think @knikolla could help to create a client for new moc esi and give us the idp endpoint.
I don't actually have NERC keycloak credentials or admin access. I think @knikolla could help to create a client for new moc esi and give us the idp endpoint.
I do have admin access, but I'd prefer this be something @jtriley does since I defer changes to production systems to him.
@tzumainn my understanding was that this was a small change and would not slow down other work. If this is going to block other work then we can wait for @naved001 to return for the ESI side of things. @jtriley Am I correct that providing the IDP endpoint is a small task?
@joachimweyl Oh, I've just never done it. I'm also pretty sure this is a small task, but if something goes wrong I'll end up poking at random people with questions!
We migrated the new ESI cluster (with no users) to use NERC's keycloak. We ran into 2 issues:
Thanks @knikolla for helping us figure this out.
Next week I will switch the other ESI cluster (the one with users) to use NERC's keycloak.
This is done.
The file at /var/lib/config-data/puppet-generated/keystone/etc/httpd/conf.d
was updated on 3 controllers with configuration from NERC keycloak. The keystone container was restarted, and then the openstack identity provider was updated openstack identity provider set --remote-id https://keycloak.mss.mghpcc.org/auth/realms/mss moc
The keycloak secrets are in vault (https://vault-ui-vault.apps.nerc-ocp-infra.rc.fas.harvard.edu/ui/vault/secrets/nerc/kv/keycloak%2Fclients%2Fesi/details?version=1)
We ran into an issue because I messed up the SELinux context of the conf file which I fixed with chcon -t container_file_t 10-keystone_wsgi.conf
and then the keystone container started successfully.
Motivation
Having one Keycloak for all tools NERC is using will be beneficial. MOC no longer needs to maintain its own Keycloak.
Completion Criteria
ESI authenticating with NERC Keycloak.
Description
Completion dates
Desired - 2024-01-24 Required - TBD