This repository has been archived by the owner on Sep 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
263 additions
and
18 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
133 changes: 133 additions & 0 deletions
133
...te-and-manage-identity/creating-and-managing-application-credentials-via-cli.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
--- | ||
hidden: false | ||
label_names: | ||
- identity | ||
- create | ||
- manage | ||
- cli | ||
title: Creating and Managing Application Credentials via CLI | ||
--- | ||
|
||
!!! note | ||
The openstack CLI will need to be setup to interact with the FlexiHPC system. Please read [Setting up your CLI environment](../setting-up-your-CLI-environment/index.md) to interact with FlexiHPC to get started. | ||
|
||
## Create Application Credential | ||
|
||
Running the below command will generate a new `Application Credential` | ||
|
||
``` | ||
openstack application credential create | ||
[--secret <secret>] | ||
[--role <role>] | ||
[--expiration <expiration>] | ||
[--description <description>] | ||
[--unrestricted] | ||
[--restricted] | ||
[--access-rules <access-rules>] | ||
<name> | ||
``` | ||
|
||
`--secret <secret>` | ||
: Secret to use for authentication. If not provided, one will be generated | ||
|
||
`--role <role>` | ||
: Roles to authorize (name or ID) (repeat option to set multiple values), if not provided this will default to same roles as the user that creates it | ||
|
||
`--expiration <expiration>` | ||
: Sets an expiration date for the application credential, format of YYYY-mm-ddTHH:MM:SS, if not provided, the application credential will not expire. | ||
|
||
`--description <description>` | ||
: Application credential description | ||
|
||
`--unrestricted` | ||
: Enable application credential to create and delete other application credentials and trusts | ||
|
||
!!! warning | ||
This is potentially dangerous behavior and is disabled by default | ||
|
||
`--restricted` | ||
: Prohibit application credential from creating and deleting other application credentials and trusts, this is enabled by default. | ||
|
||
`--access-rules <access-rules>` | ||
: Either a string or file path containing a JSON-formatted list of access rules, each containing a request method, path, and service, for example ‘[{“method”: “GET”, “path”: “/v2.1/servers”, “service”: “compute”}]’ | ||
|
||
`name` | ||
: Name of the application credential | ||
|
||
Command example below with only a name supplied | ||
|
||
``` | ||
openstack application credential create wiki-test-app-creds | ||
``` | ||
|
||
``` { .sh .no-copy } | ||
+--------------+----------------------------------------------------------------------------------------+ | ||
| Field | Value | | ||
+--------------+----------------------------------------------------------------------------------------+ | ||
| description | None | | ||
| expires_at | None | | ||
| id | 0f81c516aa6e443dba0aec93b0bbd87e | | ||
| name | wiki-test-app-creds | | ||
| project_id | 4f07cc254d6c4471805d49bae1f739b9 | | ||
| roles | heat_stack_owner reader _member_ load-balancer_member member | | ||
| secret | <APPLICATION_CREDS_SECRET> | | ||
| system | None | | ||
| unrestricted | False | | ||
| user_id | fb9a3d02c89e4cfdbe64658ad43ece97 | | ||
+--------------+----------------------------------------------------------------------------------------+ | ||
``` | ||
|
||
!!! note | ||
Once the `Application Credentails` are created the secret will be displayed. You need to take note of this now as there is no way to get that secret again and a new `Application Credential` will need to be created should you misplace it. | ||
|
||
## List Application Credentials | ||
|
||
Running the below command will list all `Application Credentials` in your project | ||
|
||
``` | ||
openstack application credential list | ||
``` | ||
|
||
``` { .sh .no-copy } | ||
+----------------------------------+---------------------+----------------------------------+-------------+------------+ | ||
| ID | Name | Project ID | Description | Expires At | | ||
+----------------------------------+---------------------+----------------------------------+-------------+------------+ | ||
| 0f81c516aa6e443dba0aec93b0bbd87e | wiki-test-app-creds | 4f07cc254d6c4471805d49bae1f739b9 | None | None | | ||
+----------------------------------+---------------------+----------------------------------+-------------+------------+ | ||
``` | ||
|
||
## Show Application Credentials details | ||
|
||
Running the below command will present additional details about the Application Credentials | ||
|
||
``` | ||
openstack application credential show APPLICATION_CRED_ID | ||
``` | ||
|
||
``` { .sh .no-copy } | ||
+--------------+--------------------------------------------------------------+ | ||
| Field | Value | | ||
+--------------+--------------------------------------------------------------+ | ||
| description | None | | ||
| expires_at | None | | ||
| id | 0f81c516aa6e443dba0aec93b0bbd87e | | ||
| name | wiki-test-app-creds | | ||
| project_id | 4f07cc254d6c4471805d49bae1f739b9 | | ||
| roles | reader load-balancer_member _member_ member heat_stack_owner | | ||
| system | None | | ||
| unrestricted | False | | ||
| user_id | fb9a3d02c89e4cfdbe64658ad43ece97 | | ||
+--------------+--------------------------------------------------------------+ | ||
``` | ||
|
||
## Deleting Application Credentials | ||
|
||
Run the command `openstack application credential list` to get the `ID` of the `Application Credentials` you would like to delete | ||
|
||
Then with the `ID` run the below command to delete it | ||
|
||
``` | ||
openstack application credential delete APPLICATION_CRED_ID | ||
``` | ||
|
||
There will be no response, so you can run the list command again to confirm deletion |
101 changes: 101 additions & 0 deletions
101
...ge-identity/creating-and-managing-application-credentials-with-the-dashboard.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
--- | ||
hidden: false | ||
label_names: | ||
- networks | ||
- create | ||
- manage | ||
- dashboard | ||
position: 1 | ||
title: Create and manage networks via the dashboard | ||
--- | ||
|
||
## Create a Network | ||
|
||
Log into the [NeSI FlexiHPC Dashboard](https://dashboard.cloud.nesi.org.nz/) | ||
|
||
Select the project you would like to deploy the new instance too (Use the project selector on the top left-hand side): | ||
|
||
<figure markdown> | ||
![Alt text](../../images/flexi/project-selector.png) | ||
</figure> | ||
|
||
Open the `Identity` tab and click `Application Credentials` category | ||
|
||
<figure markdown> | ||
![Alt text](../../images/flexi/app-creds-overview.png) | ||
</figure> | ||
|
||
Click `Create Application Credentials` | ||
|
||
Within the `Create Application Credentials` dialog we have the following options | ||
|
||
`Name` | ||
: This is a required field. A name for your Application Credentials, an example could be terraform-deployment | ||
|
||
`Description` | ||
: A friendly description for the Application Credentials | ||
|
||
`Secret` | ||
: If this field is left blank then one will be automatically generated for you, however you have the ability to provide one yourself should you choose. | ||
|
||
`Expiration Date` | ||
: The day that you wish for this Application Credentials to expire, example is you may only want these to last 1 month and as part of maintenance each month you roll new credentials. If left blank it will default to never expire | ||
|
||
`Expiration Time` | ||
: The time you wish for this Application Credentials to expire, example could be 23:59 on the first Monday of each month so it gives you the Monday morning to roll new credentials. If left blank and `Expiration Date` is set it will default to 00:00:00 | ||
|
||
!!! note | ||
Expiration Date and Time will be in UTC format. | ||
|
||
`Roles` | ||
: You may select one or more roles for this application credential. If you do not select any, all of the roles you have assigned on the current project will be applied to the application credential. Example here is my user has `[admin, member, reader]` associated with it so if I don't pick any roles the `Application Credentials` will be given the same permissions. | ||
|
||
`Access Rules` | ||
: If you want more fine-grained access control delegation, you can create one or more access rules for this application credential. The list of access rules must be a JSON- or YAML-formatted list of rules each containing a service type, an HTTP method, and a URL path, for example: | ||
``` json title="JSON example" | ||
[ | ||
{ | ||
"service": "compute", | ||
"method": "POST", | ||
"path": "/v2.1/servers" | ||
} | ||
] | ||
``` | ||
|
||
``` yaml title="YAML example" | ||
- service: compute | ||
method: POST | ||
path: /v2.1/servers | ||
``` | ||
|
||
`Unrestricted (Dangerous)` | ||
: By default, for security reasons, application credentials are forbidden from being used for creating additional application credentials or keystone trusts. If your application credential needs to be able to perform these actions, check "unrestricted". | ||
|
||
!!! warning | ||
This is potentially dangerous behavior and is disabled by default | ||
|
||
Once all the required fields are completed click on `Create Application Credential` | ||
|
||
Another dialog will appear that has your newly created `Application Credential` secret. The application credential secret will not be available after closing this page, so you must capture it now or download it. If you lose this secret, you must generate a new application credential. | ||
|
||
## Deleting Application Credentials | ||
|
||
Log into the [NeSI FlexiHPC Dashboard](https://dashboard.cloud.nesi.org.nz/) | ||
|
||
Select the project you would like to deploy the new instance too (Use the project selector on the top left-hand side): | ||
|
||
<figure markdown> | ||
![Alt text](../../images/flexi/project-selector.png) | ||
</figure> | ||
|
||
Open the `Identity` tab and click `Application Credentials` category | ||
|
||
Using the check box select the `Application Credentials` you would like to delete and the `Delete Application Credentials` should become clickable in the top right | ||
|
||
<figure markdown> | ||
![Alt text](../../images/flexi/app-cred-selected.png) | ||
</figure> | ||
|
||
Click `Delete Application Credentials` and a confirmation dialog will appear | ||
|
||
Confirm the deletion by clicking `Delete Application Credentials` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,24 @@ | ||
--- | ||
hidden: false | ||
label_names: | ||
- identity | ||
- create | ||
- manage | ||
position: 1 | ||
title: Create and Manage identity | ||
vote_count: 1 | ||
vote_sum: 1 | ||
--- | ||
|
||
Flexi Identity | ||
--- | ||
hidden: false | ||
label_names: | ||
- identity | ||
- create | ||
- manage | ||
position: 1 | ||
title: Create and Manage identity | ||
vote_count: 1 | ||
vote_sum: 1 | ||
--- | ||
|
||
`Application Credentials` help you to avoid the practice of embedding user account credentials in configuration files. Instead, the user creates an Application Credential that receives delegated access to a single project and has its own distinct secret. The user can also limit the delegated privileges to a single role in that project. This allows you to adopt the principle of least privilege, where the authenticated service only gains access to the one project and role that it needs to function, rather than all of them. | ||
|
||
This approach allows you to consume an API with revealing your user credentials, and lets applications authenticate to Keystone without requiring embedded user credentials. | ||
|
||
Within FlexiHPC you are able to mange `Application Credentials` from the dashboard and/or the CLI. | ||
|
||
- [Creating and Managing Application Credentials from the dashboard](creating-and-managing-application-credentials-with-the-dashboard.md) | ||
|
||
- [Creating and Managing Application Credentials via CLI](creating-and-managing-application-credentials-via-cli.md) | ||
|
||
!!! note | ||
The Application Credential is dependent on the user account that created it, so it will terminate if that account is ever deleted, or loses access to the relevant role. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
* [Identity: Create and Manage](index.md) | ||
* With the Dashboard | ||
* [Networks](create-and-manage-networks-with-the-dashboard.md) | ||
* With the CLI | ||
* [Networks](create-and-manage-networks-via-cli.md) | ||
* [Identity: Create and Manage](index.md) | ||
* With the Dashboard | ||
* [Create and Manage](creating-and-managing-application-credentials-with-the-dashboard.md) | ||
* With the CLI | ||
* [Create and Manage](creating-and-managing-application-credentials-via-cli.md) | ||
* * |