Keystone connector

[kbalka]

PR contains connector for openstack keystone.

Features:

• access tokens
• refresh tokens
• groups

Requirements:

• access to openstack keystone instance
• keystone administrative account credentials

Enabling keystone connector specific tests:

• make sure docker is running
• export DEX_TEST_KEYSTONE=1
• make tests

[soggiest]

There looks to be incorrect tabbing in keystone.go and keystone_test.go. Please make sure the tab formatting is consistent, otherwise it is difficult to read the code.

logrus is imported but not used. Please change the fmt.Printf lines to use logrus to ensure consistency with the rest of Dex.

[srenatus]

💯 🎈 🎉 Thank you for working on this 👍

(I'm assuming @knangia is on board with this. 👋)

A round of comments inline; adding to what @soggiest already raised.

A general point -- the way this connector interacts with docker seems new compared to the other test suites. It's dragging in new dependencies (and these aren't vendored, so tests fail). I wonder if we could rather add a docker run -d call to .travis.yml, like we do for etcd? This would let us avoid managing the keystone container from TestMain. (Furthermore, we could then simplify the tests a little, taking in DEX_KEYSTONE_URL and DEX_KEYSTONE_ADMIN_URL, or something like that, and calling t.Skip() if they're not set.)

[kbalka]

Hi @srenatus, @soggiest, thanks for fast review. We will provide bunch of updates soon. To my best knowledge, @knangia is the loop.

[srenatus]

Thanks for taking on the previous batch of comments. I gave this another thorough read, please bear with me on the changes.

😃 I like how this is taking shape, and it'll be a nice addition. 🎉

I'm also curious about your use case. How do you plan to use dex-with-keystone? Which applications will likely leverage your openstack cluster's authentication? 😃

[srenatus]

❓ I really don't know, so, this is not a leading question: What's the advantage of --net=host vs -p 0.0.0.0:5000:5000?

[kbalka]

Good question :-) For me, the advantage here is only readability - you can see which ports are exposed and compare it with exported variables DEX_KEYSTONE*.

[srenatus]

It looks like some of these are not used? (Like the IssuedAt and ExpiresAt fields, but maybe more) -- Can we remove them or add a comment?

Also, do we need to care about the ExpiresAt for this connector's functionality? (I can't oversee that right now 😅 )

[kbalka]

I think we don't need to care about ExpiresAt - because we are using token immediately after it's obtained. Keystone tokens are quite short living (I think by default 1h). Keeping it in identity.ConnectorData and using for Refresh would limit liveness of dex refresh token by expiration of keystone user token. That's why we require keystone admin account credentials. Admin should have access to other's users and their groups. When we check refresh token, the admin account gets fresh token from keystone and verifies user existence and groups. I hope that it makes some sense :-)

[srenatus]

🎗 Note to self: let's squash these before merging.

[srenatus]

Not right now, though! I appreciate the separate commits a lot for review 👍

[joannanosek]

Hi @srenatus! Sorry for torpedoing with the commits 😅 And thank you for valuable feedback!

[kbalka]

the application which can possibly leverage openstack cluster authentication is https://github.com/IntelAI/inference-model-manager :-)

[ericchiang]

Should this token be cached?

[kbalka]

We can add caching token across sessions if needed, but my opinion is that at this moment we should keep the code simple. Is it ok for you ?

[ericchiang]

nit: keep these arguments on one line

[ericchiang]

already in the keystone package, so this can just be called "connector"

[kbalka]

After moving this struct to keystone.go, name connector clashes with import "github.com/dexidp/dex/connector" , but I'm open to suggestions how to rename it

[srenatus]

How about conn or plain c? Currently, other connectors use a similar name to what's introduced here (e.g. microsoftConnector), but I do agree that shorter is nicer, the context is clear here.

[kbalka]

Sure, it makes sense. I've changed to conn.

[ericchiang]

Lots of little comments but thanks for the tests. Overall this looks like something we should merge.

Whenever you use a keystone endpoint, please add a comment including a link to the upstream docs for that endpoint. It helps others maintain and review :)

[kbalka]

Hi @ericchiang, thanks for a thorough review. I'd addressed most of the issues. Please check if it looks better now. Regarding use of openio/openstack-keystone:latest image, I've asked the maintainer to add specific version tag, waiting for response. But, the most important, merry 🎄 and 🎅 to you together with @joannanosek @srenatus and @soggiest !

[soggiest]

Happy Holidays and New Years!

…

On Fri, Dec 21, 2018 at 7:15 AM Krzysztof Balka ***@***.***> wrote: Hi @ericchiang <https://github.com/ericchiang>, thanks for a thorough review. I'd addressed most of the issues. Please check if it looks better now. Regarding use of openio/openstack-keystone:latest image, I've asked the maintainer to add specific version tag, waiting for response. But, the most important, merry 🎄 and 🎅 to you together with @joannanosek <https://github.com/joannanosek> @srenatus <https://github.com/srenatus> and @soggiest <https://github.com/soggiest> ! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1374 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGDIln8q6NvUwC2f2I-uTo73_AtOsdfnks5u7PsYgaJpZM4ZTvYH> .

[ericchiang]

FYI, I'm on vacation and won't be able to look at this until late next week. I promise I'm not just procrastinating :)

[srenatus]

LGTM. (⏳ waiting for @ericchiang's approval, too.)

[srenatus]

OK I'd really like to get a release out soon. Looking at the reviews, I think this is good to go.

Follow-up work can happen in another PR, this is mergeable. (The only thing I see as a potential improvement is caching the admin token. I'll create an issue for that when this is merged.)

@kbalka would you mind squashing those commits? Let's do it in a way that preserves @knangia's and @joannanosek's contributions -- either by adding a Co-authored-by: annotation, or by squashing commits per-author. 😃

[kbalka]

Hi @srenatus. Thanks for the approval !!! I've squashed the commits into number of 4, added authors and force-pushed the branch on my fork. The code seems to be ready for merge. The only strange thing I can observe that there is a "tail" of 8 commits in the PR which are already on the master. They will probably disappear after merge, but I'm not sure. I can fix the PR if needed.

[srenatus]

They should disappear if you fetch origin and rebase upon origin/master :) I'd prefer getting this straightened out before hitting the button...

…

On Fri, 11 Jan 2019, 13:45 Krzysztof Balka ***@***.*** wrote: Hi @srenatus <https://github.com/srenatus>. Thanks for the approval !!! I've squashed the commits into number of 4, added authors and force-pushed the branch on my fork. The code seems to be ready for merge. The only strange thing I can observe that there is a "tail" of 8 commits in the PR which are already on the master. They will probably disappear after merge, but I'm not sure. I can fix the PR if needed. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1374 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA1I7vdXcv2F5Tbd0DCcVzoRgFw0lZEAks5vCId7gaJpZM4ZTvYH> .

[kbalka]

@srenatus I've rebased to the master. looks like we are ready to hit the button :)

[srenatus]

@kbalka Thank you so much! 🎉

@ericchiang sorry I didn't wait for your "👍" after all. Feel free to assign me anything that's left 😉