origin
origin copied to clipboard
openshift
LDAP Sync TODO list
Dev-cut:
- [x] create
LDAPInterfacefor Active Directory schema (@deads2k) https://github.com/openshift/origin/pull/4972 - [x] install OpenLDAP client on Jenkins so that our sync jobs can mutate LDAP at will with bash calls (@deads2k) https://github.com/openshift/vagrant-openshift/pull/336
- [x] create
LDAPInterfacefor enhanced AD schema (FTF) https://github.com/openshift/origin/pull/5086 - [x] union name mapper (some defined by users, others by rule) (FTF) @deads2k https://github.com/openshift/origin/pull/5100
- [x] extended test for: union name mapper (FTF) @deads2k https://github.com/openshift/origin/pull/5100
- [x] extended test for: pin OpenShift Group name for LDAP sync - sync OpenShift group to same UID (don't change LDAPUID annotation if LDAP group changes) (@deads2k) https://github.com/openshift/origin/pull/5108
- [x] blacklist {OpenShift,LDAP} groups from sync (@deads2k) https://github.com/openshift/origin/pull/5108
- [x] add ldap entries for other schema to image (@stevekuznetsov) https://github.com/openshift/origin/pull/4923
- [x] add memberof overlay to openldap image (@stevekuznetsov) https://github.com/openshift/openldap/pull/10
- [x] add test schema to openldap image (@stevekuznetsov) https://github.com/openshift/openldap/pull/11
- [x] extended test for: whitelist defined in {file,paramters} from {OpenShift,LDAP} (@stevekuznetsov) https://github.com/openshift/origin/pull/5047
- [x] extended test for: user-defined mapping from LDAP UID to OpenShift UID (@stevekuznetsov) https://github.com/openshift/origin/pull/5047
- [x] documentation for {rfc2307,ad,augmented-ad} exposed config (@stevekuznetsov) https://github.com/openshift/openshift-docs/pull/1066
- [x] add a label to the sync job for the host (@stevekuznetsov) https://github.com/openshift/origin/pull/5101
Post dev-cut:
- [x] remove Ginkgo tests, clean up
authentication.sh(@stevekuznetsov) https://github.com/openshift/origin/pull/5110 - [x] add sane readiness check to LDAP server pod https://github.com/openshift/origin/pull/5064
- [x] clean up help text (@stevekuznetsov) https://github.com/openshift/origin/pull/5099
- [x] delete orphaned groups from OpenShift records (
--prune) (@stevekuznetsov /FTF) https://github.com/openshift/origin/pull/5145 - [x] extended test for: delete orphaned groups (determine orphanage from OpenShift records) (@stevekuznetsov /FTF) https://github.com/openshift/origin/pull/5145
- [x] bash autocompletion for sync-groups (@stevekuznetsov) https://github.com/openshift/origin/pull/5174
- [ ] use internal git server to push current branch so that we can use updated files on extended tests (@stevekuznetsov)
- [x] change
valid*.txt-->valid*.yaml(@stevekuznetsov) - [ ] allow OpenLDAP image to support upgrate to TLS (@stevekuznetsov)
- [ ] extended test for: secured LDAP (@stevekuznetsov)
- [ ] pretty-print sync config validation results (@stevekuznetsov)
- [x] handle nested groups by ~~flattening (@stevekuznetsov)~~ documenting (@enj)
- [ ] ~~Better LDAP failover handling RFE per https://github.com/openshift/origin/issues/4851#issuecomment-343955928~~ denied per https://bugzilla.redhat.com/show_bug.cgi?id=1459046
@stevekuznetsov Schema1 works with an exposed config. Once you get enough tests done for it, we can claim the trello card.
"install openldap client" - https://github.com/openshift/vagrant-openshift/pull/336
Need union group name mappings to allow user-defined if present and attributes otherwise.
Also, we need to make a label of the hostname on groups we sync. Its not perfect, but its better than nothing.
We also need to add a custom --label flag to add custom labels.
We need to find a way to mutate the host to be a label, previously there was the issue of formatting (labels can't have colons? I can't remember).
We need to find a way to mutate the host to be a label, previously there was the issue of formatting (labels can't have colons? I can't remember).
Yeah, we couldn't do host:port, but we need some kind of selector. We'll do host by default (which should work) and we'll leave custom labels for people doing crazy things.
Happy New Year, all! Is there a branch that is in sync with the Openshift Origin documentation? Running oadm groups sync --type=openshift --sync-config=foo.yml as per these instructions throws unknown command: sync and unknown flag: --type errors respectively. We have validated that the command fails on both a libvirt bin/cluster development build and a GCE BYO stack, both built from openshift/openshift-ansible.
@lypht Current Origin HEAD is in sync with the documentation, and the last changes for this command were made in commit https://github.com/stevekuznetsov/origin/commit/6eb1b3652c461588c9eed5ea3e9d74e994d722a7, merged fifteen days ago. Perhaps the build is picking up an older version? Does openshift ex sync-groups work in place of oadm groups sync?
Thanks, Steve. It looks like what is being deployed through Ansible is from December 2nd. Should I build from origin source to get these commits?
The version from December 2nd should have LDAP group sync, but oadm groups sync is invoked with openshift ex sync-groups, but unless you upgrade to at least December 9th (https://github.com/openshift/origin/commit/d2c519988d829b2df749d9a4b022d0e0dd01326c), you won't have oadm groups prune. I'd suggest you use the latest version you can.
Thanks again. If I run the upgrade playbook from BYO, will it pull the latest stable, or is this only for versioning if not on 1.1?
Thanks again. If I run the upgrade playbook from BYO, will it pull the latest stable, or is this only for versioning if not on 1.1?
The playbooks, unless you specify that you want a containerized install, rely on RPMs for installation and those are only built for tagged releases. If you like you can add containerized=true and give that a shot but it's definitely a less tested path at this point.
https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINERIZED_INSTALLATION.md documents containerized installation.
@lypht glad to hear! Feel free to send other feedback or thoughts to me on GitHub or to our mailing list.
nested groups doc https://docs.openshift.org/latest/install_config/syncing_groups_with_ldap.html#sync-ldap-nested-example
@stevekuznetsov close or send this @enj's way?
I'm not really sure where a RFE would fit, but it's highly related to this topic. There doesn't seem to be a way to define multiple ldap URLs and the proposed way to handle redundancy is far from ideal (https://docs.openshift.com/container-platform/3.6/install_config/advanced_ldap_configuration/sssd_for_ldap_failover.html) since it requires configuration of additional infrastructure (two additional servers, httpd as proxy, integration of said servers with ldap and clustering to move a virtual IP between). Ideally, one should just be able to specify the additional URLs in the config and have openshift failover if the first one fails. Can this be integrated into this TODO list or where should I submit such request?
@aneagoe I added it as a TODO item at the top, but you are welcome to submit an RFE to https://bugzilla.redhat.com. Any changes to LDAP are low priority and are unlikely to be addressed at this time.
@aneagoe This was already proposed and denied keeping with the proposed way outlined in the doc link you provided. Bug/RFE 1459046
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten /remove-lifecycle stale