Skip to content

Instantly share code, notes, and snippets.

@nicholaskuechler

nicholaskuechler/gist:a44304e6ae380f21be26970e9fe1402c Secret

Last active February 21, 2025 15:18
Download ZIP
Raw
gistfile1.txt
# application credential
 openstack application credential list
+----------------------------------+----------------+-------------+----------------------------------+-----------------------+--------------+--------------+------------+
| ID | Name | Description | Project ID | Roles | Unrestricted | Access Rules | Expires At |
+----------------------------------+----------------+-------------+----------------------------------+-----------------------+--------------+--------------+------------+
| c7315d27edc34e899b9c188b7a64eab0 | terraform-cred | None | 365255af5392436ea16f4dcd17cff11a | member reader manager | False | None | None |
+----------------------------------+----------------+-------------+----------------------------------+-----------------------+--------------+--------------+------------+
# keystone logs
[Fri Feb 14 17:29:45.707154 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.706 19 DEBUG keystone.server.flask.request_processing.req_logging [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] REQUEST_METHOD: `POST` log_request_info /var/lib/openstack/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:26
[Fri Feb 14 17:29:45.707264 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.707 19 DEBUG keystone.server.flask.request_processing.req_logging [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] SCRIPT_NAME: `` log_request_info /var/lib/openstack/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:27
[Fri Feb 14 17:29:45.707327 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.707 19 DEBUG keystone.server.flask.request_processing.req_logging [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/openstack/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:28
[Fri Feb 14 17:29:45.712471 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.712 19 WARNING keystone.common.password_hashing [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] Truncating password to algorithm specific maximum length 72 characters.
[Fri Feb 14 17:29:45.712550 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.712 19 WARNING keystone.common.password_hashing [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] Truncating user password to 72 characters.
[Fri Feb 14 17:29:45.936079 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.935 19 DEBUG keystone.auth.core [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] MFA Rules not processed for user `fb388fffbddd7a33485adc3eadb45a28cef6299f6a915de66ae3c0c6879a832a`. Rule list: `[]` (Enabled: `True`). check_auth_methods_against_rules /var/lib/openstack/lib/python3.10/site-packages/keystone/auth/core.py:476
[Fri Feb 14 17:29:45.936570 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.936 19 WARNING keystone.common.fernet_utils [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] key_repository is world readable: /etc/keystone/fernet-keys/
[Fri Feb 14 17:29:45.937990 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.937 19 DEBUG keystone.models.token_model [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] User fb388fffbddd7a33485adc3eadb45a28cef6299f6a915de66ae3c0c6879a832a has no access to project 365255af5392436ea16f4dcd17cff11a _validate_project_scope /var/lib/openstack/lib/python3.10/site-packages/keystone/models/token_model.py:554
[Fri Feb 14 17:29:45.938835 2025] [wsgi:error] [pid 19:tid 136938291988032] [remote 10.64.48.73:38930] 2025-02-14 17:29:45.938 19 WARNING keystone.server.flask.application [None req-0989e34f-0148-495c-9aa4-d05f9a2e0bfd - - - - - -] Authorization failed. User fb388fffbddd7a33485adc3eadb45a28cef6299f6a915de66ae3c0c6879a832a has no access to project 365255af5392436ea16f4dcd17cff11a (Disable insecure_debug mode to suppress these details.) from 10.15.186.61: keystone.exception.Unauthorized: User fb388fffbddd7a33485adc3eadb45a28cef6299f6a915de66ae3c0c6879a832a has no access to project 365255af5392436ea16f4dcd17cff11a (Disable insecure_debug mode to suppress these details.)
10.15.186.61 - - [14/Feb/2025:17:29:45 +0000] "POST /v3/auth/tokens HTTP/1.1" 401 243 "-" "openstacksdk/4.1.0 keystoneauth1/5.8.0 python-requests/2.32.3 CPython/3.12.5"
# keystone.conf
[DEFAULT]
insecure_debug = true
log_config_append = /etc/keystone/logging.conf
max_token_size = 512
transport_url = rabbit://internal/keystone
[auth]
methods = password,token,openid,mapped,application_credential
[cache]
backend = dogpile.cache.memcached
backend_argument = memcached_expire_time:3600
enabled = true
memcache_servers = memcached.openstack.svc.cluster.local:11211
[credential]
key_repository = /etc/keystone/credential-keys/
[database]
connection = mysql+pymysql://internal/keystone
max_retries = -1
[federation]
default_authorization_ttl = 720
trusted_dashboard = http://localhost:9990/auth/websso/
trusted_dashboard = https://horizon.internal/auth/websso/
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
max_active_keys = 7
[identity]
domain_config_dir = /etc/keystone/domains
domain_specific_drivers_enabled = true
[openid]
remote_id_attribute = HTTP_OIDC_ISS
[oslo_messaging_notifications]
driver = messagingv2
[oslo_messaging_rabbit]
rabbit_ha_queues = true
[oslo_middleware]
enable_proxy_headers_parsing = true
[oslo_policy]
policy_file = /etc/keystone/policy.yaml
[security_compliance]
lockout_duration = 1800
lockout_failure_attempts = 5
[token]
expiration = 43200
provider = fernet
 openstack role assignment list
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+-----------+
| 4a5321ded95d4c2caa3ebb329fd12dd5 | | 1aead99953ed4dc59145f5d879750948 | | default | | True |
| 330e5f6412eb43a08cf414e94a12a132 | 53d1009cbc234463b4fab883d55b2214 | | f2c54671f0924bb9b51d63c8a19cd8ae | | | False |
| 4a5321ded95d4c2caa3ebb329fd12dd5 | 53d1009cbc234463b4fab883d55b2214 | | f2c54671f0924bb9b51d63c8a19cd8ae | | | False |
| 4a5321ded95d4c2caa3ebb329fd12dd5 | | 58c3fbe90c2b446999ddf61b38a4142a | | default | | True |
| 330e5f6412eb43a08cf414e94a12a132 | 672e805fdc73485cb047ca254569f236 | | 4d85c8112b3348eb9c8125399c96518d | | | False |
| 330e5f6412eb43a08cf414e94a12a132 | 7129b5909a1d44c394fc84d915aa1e8d | | 2ae532bb8a82466ebba66c7a9a806eb5 | | | False |
| 330e5f6412eb43a08cf414e94a12a132 | 7129b5909a1d44c394fc84d915aa1e8d | | | default | | False |
| 330e5f6412eb43a08cf414e94a12a132 | | 74903141bbe74b148f7aac29b8ac83eb | | c4efd7a6df70434e8ebd67cdd0e55d22 | | True |
| 4a5321ded95d4c2caa3ebb329fd12dd5 | | 74903141bbe74b148f7aac29b8ac83eb | | c4efd7a6df70434e8ebd67cdd0e55d22 | | True |
| baff5697de7647a8872f49712f67d7e9 | | 74903141bbe74b148f7aac29b8ac83eb | | c4efd7a6df70434e8ebd67cdd0e55d22 | | True |
| ef4b2d9312814dc99c2176af664389ec | | 74903141bbe74b148f7aac29b8ac83eb | | c4efd7a6df70434e8ebd67cdd0e55d22 | | True |
| 4a5321ded95d4c2caa3ebb329fd12dd5 | | 74903141bbe74b148f7aac29b8ac83eb | | default | | True |
| 55cebd29e7e443dfb7b7fd45d25e7f9c | | 74903141bbe74b148f7aac29b8ac83eb | | default | | True |
| baff5697de7647a8872f49712f67d7e9 | | 74903141bbe74b148f7aac29b8ac83eb | | default | | True |
| 330e5f6412eb43a08cf414e94a12a132 | 81018ca84eb64778b3c636f0f3c32974 | | 4d85c8112b3348eb9c8125399c96518d | | | False |
| 330e5f6412eb43a08cf414e94a12a132 | 8af91de968ef494381acfba519b6c707 | | 4d85c8112b3348eb9c8125399c96518d | | | False |
| a11049ff019e41d395099b9d4ff6b818 | 8af91de968ef494381acfba519b6c707 | | 4d85c8112b3348eb9c8125399c96518d | | | False |
| 330e5f6412eb43a08cf414e94a12a132 | 8af91de968ef494381acfba519b6c707 | | 76fd0323a0c54134aae6388dff144277 | | | False |
| a11049ff019e41d395099b9d4ff6b818 | 8af91de968ef494381acfba519b6c707 | | 76fd0323a0c54134aae6388dff144277 | | | False |
| 4a5321ded95d4c2caa3ebb329fd12dd5 | 8af91de968ef494381acfba519b6c707 | | f2c54671f0924bb9b51d63c8a19cd8ae | | | False |
| 330e5f6412eb43a08cf414e94a12a132 | a6dc163c461c45eda3b4876ba6a69de6 | | 76fd0323a0c54134aae6388dff144277 | | | False |
| a11049ff019e41d395099b9d4ff6b818 | a6dc163c461c45eda3b4876ba6a69de6 | | 76fd0323a0c54134aae6388dff144277 | | | False |
| 4a5321ded95d4c2caa3ebb329fd12dd5 | | ab2b6b760bdf453ea97b167ac79f280d | | default | | True |
| 330e5f6412eb43a08cf414e94a12a132 | d5b35535063b4d069938a62ca9e66538 | | 76fd0323a0c54134aae6388dff144277 | | | False |
| 330e5f6412eb43a08cf414e94a12a132 | db13289c21194bbdb3b4d01798f89715 | | 76fd0323a0c54134aae6388dff144277 | | | False |
| a11049ff019e41d395099b9d4ff6b818 | db13289c21194bbdb3b4d01798f89715 | | 76fd0323a0c54134aae6388dff144277 | | | False |
| 330e5f6412eb43a08cf414e94a12a132 | f5329abc7a42476cb15fe2ffd23b5f54 | | 76fd0323a0c54134aae6388dff144277 | | | False |
| 330e5f6412eb43a08cf414e94a12a132 | 7129b5909a1d44c394fc84d915aa1e8d | | | | all | False |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+-----------+
 openstack role assignment list --names
+--------------+----------------------+--------------+--------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------------+----------------------+--------------+--------------------+---------+--------+-----------+
| member | | ucneteng@sso | | Default | | True |
| admin | argoworkflow@Default | | undercloud@Default | | | False |
| member | argoworkflow@Default | | undercloud@Default | | | False |
| member | | ucdctech@sso | | Default | | True |
| admin | monitoring@infra | | baremetal@infra | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | | ucadmin@sso | | infra | | True |
| member | | ucadmin@sso | | infra | | True |
| manager | | ucadmin@sso | | infra | | True |
| ucadmin-role | | ucadmin@sso | | infra | | True |
| member | | ucadmin@sso | | Default | | True |
| reader | | ucadmin@sso | | Default | | True |
| manager | | ucadmin@sso | | Default | | True |
| admin | argoworkflow@infra | | baremetal@infra | | | False |
| admin | ironic@service | | baremetal@infra | | | False |
| service | ironic@service | | baremetal@infra | | | False |
| admin | ironic@service | | service@service | | | False |
| service | ironic@service | | service@service | | | False |
| member | ironic@service | | undercloud@Default | | | False |
| admin | neutron@service | | service@service | | | False |
| service | neutron@service | | service@service | | | False |
| member | | ucuser@sso | | Default | | True |
| admin | placement@service | | service@service | | | False |
| admin | nova@service | | service@service | | | False |
| service | nova@service | | service@service | | | False |
| admin | glance@service | | service@service | | | False |
| admin | admin@Default | | | | all | False |
+--------------+----------------------+--------------+--------------------+---------+--------+-----------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment