search

CCI-MOC / esi

Elastic Secure Infrastructure project
6 stars 12 forks source link

Migrate ESI from MOC Keycloak to NERC Keycloak #494

Closed joachimweyl closed 3 months ago

joachimweyl commented 6 months ago

Motivation

Having one Keycloak for all tools NERC is using will be beneficial. MOC no longer needs to maintain its own Keycloak.

Completion Criteria

ESI authenticating with NERC Keycloak.

Description

Completion dates

Desired - 2024-01-24 Required - TBD

joachimweyl commented 5 months ago

@jtriley, please provide @tzumainn the URL needed to transition to the NERC Keycloak

tzumainn commented 5 months ago

@joachimweyl this would be on the new MOC ESI, so there would be no migration needed. I believe @naved001 is handling the configuration in the new MOC ESI.

joachimweyl commented 5 months ago

@tzumainn while @naved001 is away for 2 weeks is this something you have access to updating or is this something only he has access to?

tzumainn commented 5 months ago

Ah - I think I might be able to do it, but I'm not entirely familiar with the required mechanics (although I think I could get @DanNiESh to help). However, no one is currently live on the new MOC ESI, so is this a big priority at the moment?

DanNiESh commented 5 months ago

Ah - I think I might be able to do it, but I'm not entirely familiar with the required mechanics (although I think I could get @DanNiESh to help). However, no one is currently live on the new MOC ESI, so is this a big priority at the moment?

I don't actually have NERC keycloak credentials or admin access. I think @knikolla could help to create a client for new moc esi and give us the idp endpoint.

knikolla commented 5 months ago

I don't actually have NERC keycloak credentials or admin access. I think @knikolla could help to create a client for new moc esi and give us the idp endpoint.

I do have admin access, but I'd prefer this be something @jtriley does since I defer changes to production systems to him.

joachimweyl commented 5 months ago

@tzumainn my understanding was that this was a small change and would not slow down other work. If this is going to block other work then we can wait for @naved001 to return for the ESI side of things. @jtriley Am I correct that providing the IDP endpoint is a small task?

tzumainn commented 5 months ago

@joachimweyl Oh, I've just never done it. I'm also pretty sure this is a small task, but if something goes wrong I'll end up poking at random people with questions!

naved001 commented 3 months ago

We migrated the new ESI cluster (with no users) to use NERC's keycloak. We ran into 2 issues:

  1. The keycloak client needed implicit flow control enabled (https://github.com/nerc-project/mss-keycloak/pull/28/files).
  2. Users need to be registered with regapp (https://regapp.mss.mghpcc.org/). When testing Mainn and I weren't so we would be thrown back to the cilogon page when attempting to login.

Thanks @knikolla for helping us figure this out.

Next week I will switch the other ESI cluster (the one with users) to use NERC's keycloak.

naved001 commented 3 months ago

This is done.

The file at /var/lib/config-data/puppet-generated/keystone/etc/httpd/conf.d was updated on 3 controllers with configuration from NERC keycloak. The keystone container was restarted, and then the openstack identity provider was updated openstack identity provider set --remote-id https://keycloak.mss.mghpcc.org/auth/realms/mss moc

The keycloak secrets are in vault (https://vault-ui-vault.apps.nerc-ocp-infra.rc.fas.harvard.edu/ui/vault/secrets/nerc/kv/keycloak%2Fclients%2Fesi/details?version=1)

We ran into an issue because I messed up the SELinux context of the conf file which I fixed with chcon -t container_file_t 10-keystone_wsgi.conf and then the keystone container started successfully.