Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Nov 22 14:45
    mdb commented #963
  • Nov 17 00:50
    pauljamescleary commented #1026
  • Nov 17 00:42

    pauljamescleary on master

    Make tenant id optional (#1031)… (compare)

  • Nov 17 00:42
    pauljamescleary closed #1031
  • Nov 16 15:07
    codecov[bot] commented #1031
  • Nov 16 14:59
    pauljamescleary opened #1031
  • Nov 12 14:46

    pauljamescleary on v0.9.8

    (compare)

  • Nov 11 13:47

    pauljamescleary on gh-pages

    updated site updated site updated site and 9 more (compare)

  • Nov 11 13:35

    pauljamescleary on master

    Updating images with new SVG (#… (compare)

  • Nov 11 13:35
    pauljamescleary closed #1030
  • Nov 10 22:01
    codecov[bot] commented #1030
  • Nov 10 21:53
    pauljamescleary opened #1030
  • Nov 10 16:23
    jhg03a commented #1029
  • Nov 10 15:30
    jhg03a commented #1029
  • Nov 10 13:38
    pauljamescleary commented #1029
  • Nov 10 03:05
    jhg03a edited #1029
  • Nov 10 02:13
    jhg03a opened #1029
  • Nov 09 18:08
    jhg03a closed #1028
  • Nov 06 20:04
    jhg03a commented #1028
  • Nov 06 19:43
    jhg03a opened #1028
Paul Cleary
@pauljamescleary
@ozopz I’m out today away from my computer. Will hop on tonight and check it out. What OIDC service are you using?
ozopz
@ozopz
We are using redhat sso(keycloak)
Paul Cleary
@pauljamescleary
@ozopz could you send your Portal oidc config (eliding your client id and secret)?
ozopz
@ozopz
@pauljamescleary
oidc {
  # this enables openid instead of ldap for logins
  enabled = true

  # your open ID instance info
  authorization-endpoint = "https://id.redhatsso.com:8593/auth/realms/Test/protocol/openid-connect/auth"
  token-endpoint = "https://id.redhatsso.com:8593/auth/realms/Test/protocol/openid-connect/token"
  jwks-endpoint = "https://id.redhatsso.com:8593/auth/realms/Test/protocol/openid-connect/certs"
  logout-endpoint = "https://id.redhatsso.com:8593/auth/realms/Test/protocol/openid-connect/logout"
  tenant-id = ""
  client-id = "x"
  secret = "x"

  # not required, defaults to values below
  scope = "email"

  # this should be the base URL for your vinyldns portal instance
  redirect-uri = "http://vinyldns.com:9001"

  # field in the jwt representing the user's firstname
  jwt-firstname-field = "FirstName"

  # field in the jwt representing the user's lastname
  jwt-lastname-field = "LastName"

  # field in the jwt representing the user's username
  jwt-username-field = "USER_NAME"

  # field in the jwt representing the user's email. not required, defaults to "email"
  jwt-email-field = "mail"
}
ozopz
@ozopz
Hi @pauljamescleary , i'm trying to create a new dotted record of type A, I got the impression that it is possible after looking at the "ok.hosts" file, i'm not sure how to make it work but currently when i try to create a dotted record i get the following error:
HTTP 422 (Unprocessable Entity): Record with name bla2.bla.com and type A is a dotted host which is not allowed in zone bla.com.
Paul Cleary
@pauljamescleary
@ozopz we do not currently support creation of new dotted hosts. We allow the update or deletion of existing dotted hosts however. Certainly possible without a big todo but here we have a policy markedly against dotted hosts
  • here meaning at Comcast
Paul Cleary
@pauljamescleary
@ozopz for your oidc config, the scope = "email" doesn't seem right, should include openid which indicates we are authenticating the user's identity and profile, it should be openid profile email
As far as that specific error, it appears as though VinylDNS is getting a 500 response code back when attempting the OIDC authentication
also, the callback URL will be in your case http://vinyldns.com:9001/callback/<uuid>, I know some OIDC providers struggle with a random login id inserted in there
slandry90
@slandry90
@pauljamescleary any eta on when you'll cut an official version with all the route53 improvements we've made?
Paul Cleary
@pauljamescleary
@slandry90 I can release at any time, wasn't waiting for anything in particular, just seeing if anything new came up
slandry90
@slandry90
@pauljamescleary if you could cut a new one today or soon we'd appreciate it due to the changes from docker around rate limiting (we've got vinyldns caching to our internal docker-hub but not our custom images we've built off master) :)
Paul Cleary
@pauljamescleary
@slandry90 yep, will drop one right now
Paul Cleary
@pauljamescleary
@slandry90 0.9.8 is released. Going to write up the release notes now
It is not signed yet, as we are still working on automating that process
Nima Eskandary
@nimaeskandary
Images are signed now @slandry90
ozopz
@ozopz
Hi @pauljamescleary i have a problem when i try to use OIDC, can you help me figure out which part of my configuration is wrong?
Here is what I saw at the portal's logs : ErrorResponse(500, invalid ID token response from OIDC provider)
Paul Cleary
@pauljamescleary
Hey @ozopz, do you have additional / surrounding log entries or stack traces by any chance?
Paul Cleary
@pauljamescleary
Also, looking in the code, a few things:
  1. we look for a field named tid in the token response that is used to match up to what you configured for tenant-id in the config file
  2. we look for a field named "aud" in the token response that is used to match up to what you configured for the client-id in the config file
The good news is that it appears as though you are further along in the authentication flow based on what I am looking at.
I wonder if you are seeing a log entry like Token issue for user $user; tenantId = $tid, appId = $aid
ozopz
@ozopz
Hi, @pauljamescleary , I did get the error u mentioned, the token issue one, the issue appears to happen because the tenant id is "None" at all times.
I'm using keycloak and to my understanding keycloak uses "realms" instead of tenants, the configuration doesnt work when i specify my realm in the tenant field, is there a different field for a realm?
Paul Cleary
@pauljamescleary
@ozopz right now we are hard coded to search the claim set for "tid" and "aud". That is easy enough to externalize and make a configuration item. I just need to know the name of the fields to pull out and can push a small PR up
ozopz
@ozopz
@pauljamescleary The field for keycloak's realm is called : "realmId"
Paul Cleary
@pauljamescleary
@ozopz I opened the PR to make tenantid optional. In reality, should use OIDC and ws discovery for OIDC flows. That code is not ready yet. Here is the PR - vinyldns/vinyldns#1031
David Carmean
@dlcarmean
Howdy. I just discovered vinyldns yesterday (maybe via youtube suggestions, I forget..). Is there support for split DNS in the form of differing BIND views of the same zone?
Paul Cleary
@pauljamescleary
@dlcarmean howdy! not at this point. We handle this at Comcast using manual reviews. We have split view zones on our short term roadmap.
David Carmean
@dlcarmean
thanks. Still watching your video :)
David Carmean
@dlcarmean

I'm a little unclear on the prereqs.

this seems to indicate that mysql can be used as a message queue: https://www.vinyldns.io/operator/pre.html#message-queues

But this page doesn't mention it:
https://www.vinyldns.io/operator/setup-mysql.html

we are not an AWS customer and I'm unlikely to get the OK to become one :/
Paul Cleary
@pauljamescleary
Correct My SQL can be used as a message queue. If it isn’t in the docs it’s likely an oversight
David Carmean
@dlcarmean
:thumbsup: is redis perhaps in the pipeline?
I can only python :/ or I'd maybe try to help
Paul Cleary
@pauljamescleary
Not at this time although I’m sure it’s trivially easy to do. The mysql message queue should be fine for most workloads. If you have hundreds of changes per second not so much, but even our installation rarely hits those levels
David Carmean
@dlcarmean
we might have hundreds per month, if that :) small ISP
David Carmean
@dlcarmean
My guess is that there's probably no reason for an org your size to have spent time on this, either: https://tools.ietf.org/html/rfc2317
For A+PTR entries
Paul Cleary
@pauljamescleary
Ha we do support classless reverse zone delegations and do use them.
David Carmean
@dlcarmean
cool
David Carmean
@dlcarmean
where can I see the api capabilities? RTFC?
xmtrcv
@xmtrcv
David Carmean
@dlcarmean
has there been any discussion of plugins to enhance zone "create" to actually create zones on the DNS back ends?
Paul Cleary
@pauljamescleary
@dlcarmean yes, we are discussing zone management (involving create) right now. The trick is less of how to create the zone, but rather the security around it
David Carmean
@dlcarmean
gotcha
Paul Cleary
@pauljamescleary
We may wind up saying that only sys admins can create zones (and only create) for phase 1
No delete ability since that is horribly destructive
and needs even more access controls
If we do that, then phase 2 we could add role based access controls, and have a "create zone" privilege more generally. The other option is an ACL construct that allows subdomains to be created, it could live globally or on a zone.
David Carmean
@dlcarmean
nod