Open anpolychrono opened 1 year ago
@anpolychrono can you provide plugin version?
Sure
vault-plugin-secrets-openstack_1.3.0_linux_amd64.tar.gz
lego963 - some openstack installatiions require project_domain_id/name to be explicitly set once authorizing. Do we have this done?
@gtema issue is here
opts := gophercloud.AuthOptions{
IdentityEndpoint: cloud.AuthURL,
Username: cloud.Username,
Password: cloud.Password,
DomainName: cloud.UserDomainName,
Scope: &gophercloud.AuthScope{
DomainName: cloud.UserDomainName,
},
}
pClient, err := openstack.AuthenticatedClient(opts)
if err != nil {
return fmt.Errorf("error creating provider client: %w", err)
}
As I can see we don't use project_domain_*
, need to have a research here.
Is there WA for now ?
@anpolychrono what do you mean by WA
?
WA == Work Around, for example if there is a config I can apply to bypass this issue.
@anpolychrono for now I can't give you any hint.
Can you provide clouds.yaml
entry or env vars for this cmd? hide creds :) (if it's possible)
$ openstack --os-project-name="project-01" token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-10-10T09:29:01+0000 |
| id | gAAAAABjQ9fNYZCXsTwkAlOb0MrUQ5bHriSPI44kxQrB92sVvTiDTQrwIDr9wzpRFlDf0eaT49VVKTMLCKAbgUGWEt7I4Jcq7jnLwIu5P32iBczjGJ2ojYlJeP3Vfjyxtj54TuZ7i6xe98NoZFg1N0kA1fc8dxiWChJVknVPER-nsiFCdTBfzrw |
| project_id | 29a5a3c099834d5ba180ce1591f3599c |
| user_id | 53ceb04136004295b2e8b7383576b98e |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Sure here you are:
~$ cat ~/.config/openstack/clouds.yaml
clouds:
openstack:
auth:
auth_url: http://*.*.*.*:5000/v3/
username: "admin"
project_id: 29a5a3c099834d5ba180ce1591f3599c
project_name: "project-01"
user_domain_name: "Default"
region_name: "RegionOne"
interface: "public"
identity_api_version: 3
Example cli :
openstack --os-cloud=openstack token issue
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-10-10T14:38:56+0000 |
| id | gAAAAABjRCBwJkvkCNsA6wnDHvXv_3-PFN47dKu9OOS9S2ayFaYQG1FwGZgwNgyunzFDeW9pdyz8s1uRhAsvH3DtWs_4SV3HgxFMI7ILXQXQrioP0-vwq9LTuO9H2lAe4iNp6rAKu02xl_5YgRqewerwer4rmOrY7NQ2Mj70Qdcam-tjpfe7M1Ul9oX9zHQ |
| project_id | 29a5a3c099834d5ba180ce1591f3599c |
| user_id | 53ceb04136004295b2efefefs8b7383576b98e |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Hello @anpolychrono I've updated vault with more detailed error messages, could you try again on the newer version of vault? Thanks!
Hello @artem-lifshits see below the error:
vault secrets enable \
-path="openstack" \
-plugin-name="vault-plugin-secrets-openstack" plugin
vault write /openstack/clouds/patras5g-cloud1 \
auth_url=http://oscontrollerpub.patras5g.eu:5000/v3/ \
username="******" \
password="******" \
user_domain_name="Default"
vault write /openstack/roles/patras5g-role1 \
cloud="patras5g-cloud1" \
project_name="apolychrono_upatras" \
domain_name="Default" \
user_roles="member" \
root=false
Error getting in the last command:
Error writing data to openstack/roles/patras5g-role1: Error making API request.
URL: PUT http://vault.patras5g.eu:8200/v1/openstack/roles/patras5g-role1
Code: 401. Errors:
* 1 error occurred:
* error creating provider client: Authentication failed
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
When defining admin credentials for the cloud I am using the same credentials from the clouds.yaml
$ openstack --os-project-name="apolychrono_upatras" token issue --os-cloud=openstack
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-12-08T10:35:48+0000 |
| id | gAAAAABjka_0-Lzj6skNAs1Yr5TVc3rFpnbHLkZ45fZj483thrwN6VwwtQwn8q6PEPX5W6ku2TJUWK7WPQPoXz9osfKeSCx3OiDtdFKKJ5y-hpjgu07OU2f4Dh6q4Q7S9si20m0ASdg2-IJ7JqrsdtVYGlwlm5Qub1pZ4AhAjh_koU5lmmaP7j4 |
| project_id | f7543f8938484d1cb83c132128ff77c7 |
| user_id | 53ceb04136004295b2e8b7383576b98e |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Adding also the payload from the POST request during authentication:
POST /v3/auth/tokens HTTP/1.1
Host: oscontrollerpub.patras5g.eu:5000
User-Agent: gophercloud/2.0.0
Content-Length: 168
Accept: application/json
Content-Type: application/json
X-Auth-Token:
Accept-Encoding: gzip
{
"auth":{
"identity":{
"methods":["password"],"password":{
"user":{
"domain":{
"name":"Default"
},
"name":"****",
"password":"****"
}
}
},"scope":{
"domain":{
"name":"Default"
}
}
}
}
@anpolychrono here
$ openstack --os-project-name="apolychrono_upatras" token issue --os-cloud=openstack
you request token for the admin user. Am I right? If yes, can you try to create a role with the next lines?
domain_name="Default" \ // drop it
user_roles="member" \ // drop it
root=true // set to true
@lego963
Yes you are right it is for the admin user.
vault write /openstack/roles/patras5g-role1 cloud="patras5g-cloud1" project_name="apolychrono_upatras" root=true
Success! Data written to: openstack/roles/patras5g-role1
However the token creation fails:
vault read /openstack/creds/patras5g-role1
Error reading openstack/creds/patras5g-role1: Error making API request.
URL: GET http://vault.patras5g.eu:8200/v1/openstack/creds/patras5g-role1
Code: 409. Errors:
* 1 error occurred:
* error creating provider client: Authentication failed
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
Hi ,
I would like to test your plugin but it looks like I can't Authenticate with the Openstack cloud, could you please double check my config ?
The plugin installation worked but then the request new token failed.
Here is what I have configured:
When trying to issue a token from cli it works:
Let me know if anything else is needed.