openstack/fuel-specs
Code Issues Proposed changes
2e7d6b2855
fuel-specs/specs/6.0/access-control-master-node-improvments.rst
Łukasz Oleś 2e794e71ac Fuel master access control improvements 
Blueprint: access-control-master-node-improvments
Change-Id: I5d98cdcdc54c1683ab21be8859a668db53eb9d79
2014-10-08 14:04:54 +02:00

159 lines
3.4 KiB
ReStructuredText
Raw Blame History

..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
==========================================
Fuel Master access control improvements
==========================================
https://blueprints.launchpad.net/fuel/+spec/access-control-master-node-improvments
In 5.1 release cycle Fuel Master node access control was introduced.
In next release, some configuration tuning is required to make it easier
to use and upgrade.
Problem description
===================
With current implementation we have following problems:
* Each request is validated by middleware using keystone admin token.
This method is deprecated.
* If user changes his password it is not possible to run upgrade.
* Outdated tokens are not cleaned which in long term
may lead to run out of space.
* No cookies support so some GET requests from UI can not be validated.
* After login password is stored in browser cache.
Proposed change
===============
* Create users *nailgun* and *ostf* with admin roles which will be used
to authenticate requests in middleware. Both will be added to new
*services* tenant.
* Passwords will be generated by fuelmenu for fresh install and by upgrade
script in case of upgrade.
* During upgrade there will be puppet run for keystone that will add new
project and users.
* Ask user for password before upgrade.
* Create cron script which runs in keystone container and deletes outdated
tokens using `keystone-manage token_flush` command.
Script will be run once per day.
* Add support for cookies, which also will allow to test API from browser.
* Increase token expiration time to 24h, so it will not be necessary to
store password in browser cache.
* Add two services to keystone: *nailgun* and *ostf*, toghether with endpoints
pointing to its urls to enable service discovery instead of hardcoded urls.
* Use `keystonemiddleware` insted of deprecated `keystoneclinet.middleware`.
Alternatives
------------
None
Data model impact
-----------------
There will be two new users, two new services and two new endpoints
in keystone database.
REST API impact
---------------
None
Upgrade impact
--------------
During the upgrade user will be asked to give an admin user password.
Security impact
---------------
Using service user instead of admin_token to verify is safer.
Notifications impact
--------------------
None
Other end user impact
---------------------
None
Performance Impact
------------------
None
Other deployer impact
---------------------
None
Developer impact
----------------
When cookies support is added developer will be able to test API from browser.
Implementation
==============
Assignee(s)
-----------
Primary assignee:
skalinowski@mirantis.com
loles@mirantis.com
Work Items
----------
Must have items:
* Create new users during fresh install and during upgrade.
* Ask for admin user password before upgrade.
* Remove usage of admin_token in Fuel.
Rest of the items can be done later and can be done separately.
Dependencies
============
None
Testing
=======
All tests from previous blueprint should still apply here.
System tests may require changes to pass the password to the upgrade
script.
Documentation Impact
====================
Documentation describing internal architecture should be created.
It should contain examples how to use curl with API.
References
==========
None
View Git Blame Copy Permalink