EGI-Federation / fedcloud-vm-monitoring

Monitors VMs running on fedcloud for a given project, killing them if not acknowledged
MIT License
2 stars 1 forks source link

Unable to show user's details in OpenStack: GET /v3/users/{user_id} #2

Open glarocca opened 3 years ago

glarocca commented 3 years ago

Short Description of the issue

Keystone policy in the EGI cloud providers does not allow users to perform the requested action: 'identity:get_user'

Summary of proposed changes

sebastian-luna-valero commented 10 months ago

Potential solution: https://github.com/EGI-Federation/documentation/pull/628

enolfc commented 7 months ago

Need to enforce configuration at sites via GGUS ticket.

I propose the following text:

Subject: Enable VO user auditing in OpenStack

Dear site admin,

In order to provide have a better control of the resources created by EGI users at your site we propose the use of an additional mapping configuration that allows selected EGI members belonging to the cloud.egi.eu VO and having an auditor role to have reader privileges for the OpenStack domain that supports EGI users. This mapping simplifies the process of releasing resources whenever they are no longer used for piloting VOs without the need of site administrators being involved.

The documentation is available at https://docs.egi.eu/providers/cloud-compute/openstack/aai/#keystone-federation-support and summarised below:

  1. A Group for mapping the auditor role (in the example below, egi-staff) needs to be created on the egi.eu domain (you may want to change the domain name to egi.eu before this - openstack domain set --name egi.eu $(openstack identity provider show -f value -c domain_id egi.eu)

    # Support for https://operations-portal.egi.eu/vo/view/voname/cloud.egi.eu
    $ openstack group create --domain egi.eu egi-staff
    $ openstack role add --domain egi.eu --group egi-staff reader
  2. Add the mapping to your configuration (change the _egi-staff_group_ID_ to the id of the just created group above)

    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                    "email": "{1}"
            },
            "group": {
                    "id": "_egi-staff_group_ID_"
                }
            }
        ],
        "remote": [
            {
                "type": "HTTP_OIDC_SUB"
            },
            {
                "type": "HTTP_OIDC_EMAIL"
            },
            {
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [
                    "https://aai.egi.eu/auth/realms/egi"
                ]
            },
            {
                "type": "OIDC-eduperson_entitlement",
                "regex": true,
                "any_one_of": [
                    "^urn:mace:egi.eu:group:cloud.egi.eu:role=auditor#aai.egi.eu$"
                ]
            }
        ]
    }
  3. Update the mapping:

    $ openstack mapping set --rules mapping.json egi-mapping

If there are issues preventing this configuration, please let us know so we can find the best way to support you

Thanks,

@CatalinCondurache, what do you think?