This patch updates the devstack plugin so that tempest.conf is not
configured to use system-admin. Currently tempest uses an all-in
approach to configuring admin clients, and forcing system scope in
tempest when SRBAC is turned on results in test failures for services
that don't understand system scope.
With this patch, keystone test will be run with a project-scoped admin,
which should be fine since policies have been previously updated to
accept project-admin tokens as legacy admin for Phase 1. [1]
[1] f2f1a5c388
Change-Id: I39d50b8e6e55b0835670d753c3783f32b19b6c47
This updates the keystone gates to the jammy nodesets rather than the
focal ones. Focal is no longer supported by devstack [1].
[1]: https://review.opendev.org/c/openstack/devstack/+/885468
Change-Id: I39045098111df839fba116d8b0fa7dd9dbbaa8ac
Add devstack testing setup for OIDC using an instance of keycloak
which is instantiated from a keycloak image. This is largely taken
from Kristi's work in https://github.com/knikolla/devstack-plugin-oidc
This configuration is triggered by enabling the devstack service
keystone-oidc-federation. The expectation is that either SAML2 or
OIDC is enabled, but not both.
Depends-On: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/864571
Co-Authored-By: David Wilde <dwilde@redhat.com>
Change-Id: I1ff4d48c05cef1022dc510df03104f36cdd7a953
The `keystone.conf [oslo_policy] enforce_new_defaults` option is meant
to help deployments that want to opt into the new policy enforcement
model (with scope checking) but without having to generate override
files. This is the case for devstack and tempest.
We can use this to bypass generating a policy file with just the new
policies for tempest testing.
Change-Id: I3b219bde569c5a8001aec0c243027b6881254304
Add support to the keystone devstack plugin for setting enforce_scope in
the keystone config and setting up tempest to test it.
It may be better to move this to tempest proper at some point.
See also: https://review.opendev.org/686073https://review.opendev.org/698397
Change-Id: I1b71135547b7ce03afb5b44fbbab3f52d213a2ae
Opt into optional testing of the groups parameter in K2K SAML
assertions.
Change-Id: Id98310ab052623456316565f1ab71b183127f8fa
Depends-on: https://review.opendev.org/721771
Currently, a keystone IdP does not provide the
groups to which user belong when generating SAML
assertions.This patch adds an additional attribute
called "openstack_groups" in the assertion.
Change-Id: I205e8bbf9a4579b16177f57e29e363f4205a2b48
Closes-Bug: #1641625
With the addition of K2K-specific tests in the tempest plugin and a
config toggle in the plugin to disable use of the external IdP, we can
safely add a voting federation job. This also fixes the devstack plugin
to install the xmlsec1 tool which is needed for K2K.
Change-Id: I9dc634e073657ff337751ec67363a57bd10e20d4
Depends-on: https://review.opendev.org/689222
Modify the install_federation function for adding Shibboleth
installation for OpenSUSE in federation.sh, and also modify
uninstall_federation function for removing Shibboleth packages
when running `./unstack.sh`.
Partial-bug: #1757000
Change-Id: Ic3e0c37cff4d0dd3336521bac13da550fa6edfcf
Modify the install_federation function for adding Shibboleth repo
and installation for CentOS in federation.sh, and also modify
uninstall_federation function for removing Shibboleth packages
when running `./unstack.sh`.
Partial-bug: #1757000
Change-Id: I8c0f63d0a4fe19eab58e7cba3c49905f35266f9d
testshib.org is no longer maintained and has been broken for some
time[1]. Use the new samltest.id provider instead.
This is not a permanent solution, this is a stopgap measure until we
configure our own IdP in the devstack plugin.
[1] https://marc.info/?l=shibboleth-users&m=154056288800549&w=2
Change-Id: Ifa514395d9cdb2197ef8a43885ec598483dd7a38
The upload_sp_metadata function is testshib specific and should
only be called when the identity provider is testshib.
Change-Id: I0dac596a51197417a3ceb8b2e1f4db5db108e84f
Keystone was complaining about not being able to load the
remote_id_attribute in the mapped group [0]. Since moving
to uwsgi, restarting keystone is done separately from apache,
so the configuration file wasn't being reloaded. Added a line
to restart the keystone service.
Also added a line to restart apache after configuration.
[0] http://paste.openstack.org/show/616498/
Change-Id: I4e7c04241c5058152529f8c95963be6f05f51a51
Closes-Bug: 1700847
* In shibboleth2.xml make the ENTITY_ID and METADATA_URL
configurable.
* Copy over an attribute map that includes support for
keystone as an idp attributes.
bp devstack-plugin
Change-Id: I40157b00e5d084dcc6bb5b1f4be7d9cd3a8a0fc7
[0] switched keystone to use uwsgi and mod_proxy_uwsgi by default
instead of mod_wsgi breaking the Devstack plugin which assumed
the latter. This commit fixes the Devstack plugin to work with
both and therefore fixes the functional v3 only gates which
are currently broken.
[0]. I46294fb24e3c23fa19fcfd7d6c9ee8a932354702
Change-Id: Iaffb3f18fd0f1444a6b6067d63474c27eb1bd13d
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
This patch adds a function to configure the settings for test cases. It
currently sets the needed settings for the first federation scenario
test (follow up patch). If needed, additional settings can be added.
Change-Id: I5f0d0b5eeee1d8f03b38a2eb4cdc2101d3dccaa1
This leads to some bug where we can't rerun ./stack.sh.
The error displayed is:
[ERROR] /home/stack/devstack/lib/keystone:599 keystone did not start
Change-Id: I452cf2a023195fa64bb39953d5a3c32acda035ce
In order to register the service provider in testshib, we need to upload
its metadata.
Also makes some minor fixes.
Change-Id: Idfe0eb016370e7776de3525a813d0535cfc75e27
In a previous patch, I implemented a Devstack plugin to enable
federation and idp features in keystone. The plugin was to be
configured from environment variables for the idp entityID, metadata,
sp_auth_url, sp_url, etc. Providing an endless and untestable matrix
of combinations. Therefore the review was gathering dust waiting for
brave reviewers.
This review extracts the meat of the previous patch and removes all
the configuration options. This plugin now does one thing only: It
installs mod_shibboleth and sets up testshib.org as the IdP for keystone.
While testshib.org will not be used in our functional testing, this
is a necessary first step to make such complex changes more testable
reproducible and reviewable.
A follow-up patch will install a shibboleth-idp, and either that one,
or a later one, will switch from testshib.org to the local shibboleth.
This plugin will not yet be run as part of the gate, as "enable_service
federation" needs to be added to the Devstack options.
To run add the following after the lines that set up keystone from a
gerrit review:
enable_plugin keystone $KEYSTONE_REPO
enable_service keystone-saml2-federation
Change-Id: I6f7491ff063359d7065c77b00fe5bfc76f8587d6
This review creates the structure for the Devstack plugin and
prints to the console to ensure its execution in the gate.
Follow-up reviews will do more useful stuff like setting up
the environment for our functional testing (ldap, federation).
Change-Id: I820ae355ae8f3183fee2b8207e3c17e8bd10dc17
Douglas Mendizábal