Skip to content
This repository has been archived by the owner on Sep 14, 2023. It is now read-only.

Commit

Permalink
identity updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@lbrick
lbrick committed Sep 11, 2023
1 parent c82c542 commit 8b2b3a5
Show file tree
Hide file tree
Showing 6 changed files with 263 additions and 18 deletions.
Binary file added docs/images/flexi/app-cred-selected.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/images/flexi/app-creds-overview.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
133 changes: 133 additions & 0 deletions ...te-and-manage-identity/creating-and-managing-application-credentials-via-cli.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
---
hidden: false
label_names:
- identity
- create
- manage
- cli
title: Creating and Managing Application Credentials via CLI
---

!!! note
The openstack CLI will need to be setup to interact with the FlexiHPC system. Please read [Setting up your CLI environment](../setting-up-your-CLI-environment/index.md) to interact with FlexiHPC to get started.

## Create Application Credential

Running the below command will generate a new `Application Credential`

```
openstack application credential create
[--secret <secret>]
[--role <role>]
[--expiration <expiration>]
[--description <description>]
[--unrestricted]
[--restricted]
[--access-rules <access-rules>]
<name>
```

`--secret <secret>`
: Secret to use for authentication. If not provided, one will be generated

`--role <role>`
: Roles to authorize (name or ID) (repeat option to set multiple values), if not provided this will default to same roles as the user that creates it

`--expiration <expiration>`
: Sets an expiration date for the application credential, format of YYYY-mm-ddTHH:MM:SS, if not provided, the application credential will not expire.

`--description <description>`
: Application credential description

`--unrestricted`
: Enable application credential to create and delete other application credentials and trusts

!!! warning
This is potentially dangerous behavior and is disabled by default

`--restricted`
: Prohibit application credential from creating and deleting other application credentials and trusts, this is enabled by default.

`--access-rules <access-rules>`
: Either a string or file path containing a JSON-formatted list of access rules, each containing a request method, path, and service, for example ‘[{“method”: “GET”, “path”: “/v2.1/servers”, “service”: “compute”}]

`name`
: Name of the application credential

Command example below with only a name supplied

```
openstack application credential create wiki-test-app-creds
```

``` { .sh .no-copy }
+--------------+----------------------------------------------------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------------------------------------------------+
| description | None |
| expires_at | None |
| id | 0f81c516aa6e443dba0aec93b0bbd87e |
| name | wiki-test-app-creds |
| project_id | 4f07cc254d6c4471805d49bae1f739b9 |
| roles | heat_stack_owner reader _member_ load-balancer_member member |
| secret | <APPLICATION_CREDS_SECRET> |
| system | None |
| unrestricted | False |
| user_id | fb9a3d02c89e4cfdbe64658ad43ece97 |
+--------------+----------------------------------------------------------------------------------------+
```

!!! note
Once the `Application Credentails` are created the secret will be displayed. You need to take note of this now as there is no way to get that secret again and a new `Application Credential` will need to be created should you misplace it.

## List Application Credentials

Running the below command will list all `Application Credentials` in your project

```
openstack application credential list
```

``` { .sh .no-copy }
+----------------------------------+---------------------+----------------------------------+-------------+------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------------+----------------------------------+-------------+------------+
| 0f81c516aa6e443dba0aec93b0bbd87e | wiki-test-app-creds | 4f07cc254d6c4471805d49bae1f739b9 | None | None |
+----------------------------------+---------------------+----------------------------------+-------------+------------+
```

## Show Application Credentials details

Running the below command will present additional details about the Application Credentials

```
openstack application credential show APPLICATION_CRED_ID
```

``` { .sh .no-copy }
+--------------+--------------------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------------------+
| description | None |
| expires_at | None |
| id | 0f81c516aa6e443dba0aec93b0bbd87e |
| name | wiki-test-app-creds |
| project_id | 4f07cc254d6c4471805d49bae1f739b9 |
| roles | reader load-balancer_member _member_ member heat_stack_owner |
| system | None |
| unrestricted | False |
| user_id | fb9a3d02c89e4cfdbe64658ad43ece97 |
+--------------+--------------------------------------------------------------+
```

## Deleting Application Credentials

Run the command `openstack application credential list` to get the `ID` of the `Application Credentials` you would like to delete

Then with the `ID` run the below command to delete it

```
openstack application credential delete APPLICATION_CRED_ID
```

There will be no response, so you can run the list command again to confirm deletion
101 changes: 101 additions & 0 deletions ...ge-identity/creating-and-managing-application-credentials-with-the-dashboard.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
---
hidden: false
label_names:
- networks
- create
- manage
- dashboard
position: 1
title: Create and manage networks via the dashboard
---

## Create a Network

Log into the [NeSI FlexiHPC Dashboard](https://dashboard.cloud.nesi.org.nz/)

Select the project you would like to deploy the new instance too (Use the project selector on the top left-hand side):

<figure markdown>
![Alt text](../../images/flexi/project-selector.png)
</figure>

Open the `Identity` tab and click `Application Credentials` category

<figure markdown>
![Alt text](../../images/flexi/app-creds-overview.png)
</figure>

Click `Create Application Credentials`

Within the `Create Application Credentials` dialog we have the following options

`Name`
: This is a required field. A name for your Application Credentials, an example could be terraform-deployment

`Description`
: A friendly description for the Application Credentials

`Secret`
: If this field is left blank then one will be automatically generated for you, however you have the ability to provide one yourself should you choose.

`Expiration Date`
: The day that you wish for this Application Credentials to expire, example is you may only want these to last 1 month and as part of maintenance each month you roll new credentials. If left blank it will default to never expire

`Expiration Time`
: The time you wish for this Application Credentials to expire, example could be 23:59 on the first Monday of each month so it gives you the Monday morning to roll new credentials. If left blank and `Expiration Date` is set it will default to 00:00:00

!!! note
Expiration Date and Time will be in UTC format.

`Roles`
: You may select one or more roles for this application credential. If you do not select any, all of the roles you have assigned on the current project will be applied to the application credential. Example here is my user has `[admin, member, reader]` associated with it so if I don't pick any roles the `Application Credentials` will be given the same permissions.

`Access Rules`
: If you want more fine-grained access control delegation, you can create one or more access rules for this application credential. The list of access rules must be a JSON- or YAML-formatted list of rules each containing a service type, an HTTP method, and a URL path, for example:
``` json title="JSON example"
[
  {
"service": "compute",
   "method": "POST",
   "path": "/v2.1/servers"
}
]
```

``` yaml title="YAML example"
- service: compute
method: POST
path: /v2.1/servers
```

`Unrestricted (Dangerous)`
: By default, for security reasons, application credentials are forbidden from being used for creating additional application credentials or keystone trusts. If your application credential needs to be able to perform these actions, check "unrestricted".

!!! warning
This is potentially dangerous behavior and is disabled by default

Once all the required fields are completed click on `Create Application Credential`

Another dialog will appear that has your newly created `Application Credential` secret. The application credential secret will not be available after closing this page, so you must capture it now or download it. If you lose this secret, you must generate a new application credential.

## Deleting Application Credentials

Log into the [NeSI FlexiHPC Dashboard](https://dashboard.cloud.nesi.org.nz/)

Select the project you would like to deploy the new instance too (Use the project selector on the top left-hand side):

<figure markdown>
![Alt text](../../images/flexi/project-selector.png)
</figure>

Open the `Identity` tab and click `Application Credentials` category

Using the check box select the `Application Credentials` you would like to delete and the `Delete Application Credentials` should become clickable in the top right

<figure markdown>
![Alt text](../../images/flexi/app-cred-selected.png)
</figure>

Click `Delete Application Credentials` and a confirmation dialog will appear

Confirm the deletion by clicking `Delete Application Credentials`
37 changes: 24 additions & 13 deletions docs/user-guides/create-and-manage-identity/index.md
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,24 @@
---
hidden: false
label_names:
- identity
- create
- manage
position: 1
title: Create and Manage identity
vote_count: 1
vote_sum: 1
---

Flexi Identity
---
hidden: false
label_names:
- identity
- create
- manage
position: 1
title: Create and Manage identity
vote_count: 1
vote_sum: 1
---

`Application Credentials` help you to avoid the practice of embedding user account credentials in configuration files. Instead, the user creates an Application Credential that receives delegated access to a single project and has its own distinct secret. The user can also limit the delegated privileges to a single role in that project. This allows you to adopt the principle of least privilege, where the authenticated service only gains access to the one project and role that it needs to function, rather than all of them.

This approach allows you to consume an API with revealing your user credentials, and lets applications authenticate to Keystone without requiring embedded user credentials.

Within FlexiHPC you are able to mange `Application Credentials` from the dashboard and/or the CLI.

- [Creating and Managing Application Credentials from the dashboard](creating-and-managing-application-credentials-with-the-dashboard.md)

- [Creating and Managing Application Credentials via CLI](creating-and-managing-application-credentials-via-cli.md)

!!! note
The Application Credential is dependent on the user account that created it, so it will terminate if that account is ever deleted, or loses access to the relevant role.
10 changes: 5 additions & 5 deletions docs/user-guides/create-and-manage-identity/summary.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
* [Identity: Create and Manage](index.md)
* With the Dashboard
* [Networks](create-and-manage-networks-with-the-dashboard.md)
* With the CLI
* [Networks](create-and-manage-networks-via-cli.md)
* [Identity: Create and Manage](index.md)
* With the Dashboard
* [Create and Manage](creating-and-managing-application-credentials-with-the-dashboard.md)
* With the CLI
* [Create and Manage](creating-and-managing-application-credentials-via-cli.md)
* *

0 comments on commit 8b2b3a5

Please sign in to comment.