From 2e794e71acdb27516032a81f5e4750631d826292 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Ole=C5=9B?= Date: Tue, 2 Sep 2014 11:38:49 +0200 Subject: [PATCH] Fuel master access control improvements Blueprint: access-control-master-node-improvments Change-Id: I5d98cdcdc54c1683ab21be8859a668db53eb9d79 --- ...access-control-master-node-improvments.rst | 158 ++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 specs/6.0/access-control-master-node-improvments.rst diff --git a/specs/6.0/access-control-master-node-improvments.rst b/specs/6.0/access-control-master-node-improvments.rst new file mode 100644 index 00000000..f7be717b --- /dev/null +++ b/specs/6.0/access-control-master-node-improvments.rst @@ -0,0 +1,158 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +========================================== +Fuel Master access control improvements +========================================== + +https://blueprints.launchpad.net/fuel/+spec/access-control-master-node-improvments + +In 5.1 release cycle Fuel Master node access control was introduced. +In next release, some configuration tuning is required to make it easier +to use and upgrade. + +Problem description +=================== + +With current implementation we have following problems: + +* Each request is validated by middleware using keystone admin token. + This method is deprecated. + +* If user changes his password it is not possible to run upgrade. + +* Outdated tokens are not cleaned which in long term + may lead to run out of space. + +* No cookies support so some GET requests from UI can not be validated. + +* After login password is stored in browser cache. + +Proposed change +=============== + +* Create users *nailgun* and *ostf* with admin roles which will be used + to authenticate requests in middleware. Both will be added to new + *services* tenant. + +* Passwords will be generated by fuelmenu for fresh install and by upgrade + script in case of upgrade. + +* During upgrade there will be puppet run for keystone that will add new + project and users. + +* Ask user for password before upgrade. + +* Create cron script which runs in keystone container and deletes outdated + tokens using `keystone-manage token_flush` command. + Script will be run once per day. + +* Add support for cookies, which also will allow to test API from browser. + +* Increase token expiration time to 24h, so it will not be necessary to + store password in browser cache. + +* Add two services to keystone: *nailgun* and *ostf*, toghether with endpoints + pointing to its urls to enable service discovery instead of hardcoded urls. + +* Use `keystonemiddleware` insted of deprecated `keystoneclinet.middleware`. + + +Alternatives +------------ + +None + +Data model impact +----------------- + +There will be two new users, two new services and two new endpoints +in keystone database. + + +REST API impact +--------------- + +None + +Upgrade impact +-------------- + +During the upgrade user will be asked to give an admin user password. + +Security impact +--------------- + +Using service user instead of admin_token to verify is safer. + +Notifications impact +-------------------- + +None + +Other end user impact +--------------------- + +None + +Performance Impact +------------------ + +None + +Other deployer impact +--------------------- + +None + +Developer impact +---------------- + +When cookies support is added developer will be able to test API from browser. + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + skalinowski@mirantis.com + loles@mirantis.com + +Work Items +---------- + +Must have items: + +* Create new users during fresh install and during upgrade. +* Ask for admin user password before upgrade. +* Remove usage of admin_token in Fuel. + +Rest of the items can be done later and can be done separately. + +Dependencies +============ + +None + +Testing +======= + +All tests from previous blueprint should still apply here. +System tests may require changes to pass the password to the upgrade +script. + +Documentation Impact +==================== + +Documentation describing internal architecture should be created. +It should contain examples how to use curl with API. + +References +========== + +None