477c488662
lots of blueprints and specs have bumped around from backlog to mitaka and back. added a new ongoing section for things like python3 and functional testing Change-Id: I52f704635dd53ea26298d2547408286bac0b230c
150 lines
4.3 KiB
ReStructuredText
150 lines
4.3 KiB
ReStructuredText
..
|
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
|
License.
|
|
|
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
|
|
==================
|
|
Bootstrap via CLI
|
|
==================
|
|
|
|
`bp bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_
|
|
|
|
Remove the ADMIN_TOKEN means of initializing a cluster with a CLI that has to
|
|
be executed on the same machine as the Keystone installation.
|
|
|
|
|
|
Problem Description
|
|
===================
|
|
|
|
`ADMIN_TOKEN` is a poor approach for initialzing a deployment. It
|
|
provides a huge security risk for any site that fails to disable it
|
|
after initial deployment. Since it is removed after the site is live,
|
|
there is no means to reenable it without A) restarting the service
|
|
and B) providing a huge surface for attack. However, for a broken
|
|
system, sometimes it is the only tool that can effective fix things.
|
|
|
|
`ADMIN_TOKEN` is specified in the config file, which means that anyone
|
|
one with read access to the file has unlimited ability to affect
|
|
change in a keystone system. This is one of the values that forces the
|
|
config file to be reable only by root and the keystone service. This
|
|
limits non-root users ability to read the config to determine the
|
|
state of the system and help troubleshoot.
|
|
|
|
|
|
Proposed Change
|
|
===============
|
|
|
|
Replace ADMIN_TOKEN with a set of CLI operations that affect the
|
|
necessarchanges to initialize a keystone server:
|
|
|
|
keystone-manage bootstrap
|
|
|
|
+---------------------------+-------+-----------------------------------------+
|
|
|Parameter |Default|Meaning |
|
|
+===========================+=======+=========================================+
|
|
|bootstrap-username |admin |The username of the initial keystone user|
|
|
| | | during bootstrap process. |
|
|
+---------------------------+-------+-----------------------------------------+
|
|
|bootstrap-password |None |The bootstrap user password |
|
|
+---------------------------+-------+-----------------------------------------+
|
|
|bootstrap-generate-password|None |If set, will generate password |
|
|
| | |automatically and return it in the output|
|
|
+---------------------------+-------+-----------------------------------------+
|
|
|bootstrap-project-name |admin |The initial project created during the |
|
|
| | |keystone bootstrap process. |
|
|
+---------------------------+-------+-----------------------------------------+
|
|
|bootstrap-role-name |admin |The initial role-name created during |
|
|
| | |the keystone bootstrap process. |
|
|
+---------------------------+-------+-----------------------------------------+
|
|
|
|
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
Direct database access, which would bypass all of the logic in the
|
|
system.
|
|
|
|
Precanned Database scripts, which would always put the system into a
|
|
known state; high risk of error and duplication, no way to fix a
|
|
wedged system.
|
|
|
|
|
|
Security Impact
|
|
---------------
|
|
|
|
Should reduce the attack surface of the Keystone server. Anyone that
|
|
can read the config file can adffect these changes now. With this
|
|
change, the user access would be limited to the same Unix users that
|
|
run the Keystone process, and would be managed via sudo.
|
|
|
|
|
|
Notifications Impact
|
|
--------------------
|
|
|
|
THe same notifications generated when these changes are made via the
|
|
API will be generated via this API.
|
|
|
|
Other End User Impact
|
|
---------------------
|
|
|
|
This will change how CMSs interact with Keystone. The `ADMIN_TOKEN`
|
|
approach will be deprecated.
|
|
|
|
Performance Impact
|
|
------------------
|
|
|
|
None
|
|
|
|
|
|
Other Deployer Impact
|
|
---------------------
|
|
|
|
This will remove the ability to use `ADMIN_TOKEN` to troubleshoot, and
|
|
replace it with a more controlled approach.
|
|
|
|
Developer Impact
|
|
----------------
|
|
|
|
None
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
|
|
Primary assignee:
|
|
morganfainberg
|
|
|
|
Other contributors:
|
|
ayoung
|
|
|
|
Work Items
|
|
----------
|
|
|
|
|
|
* Enabled bootsrap CLI
|
|
* deprecate ADMIN_TOKEN
|
|
* update devstack to use bootstrap
|
|
* remove admin_token from pipeline
|
|
|
|
Many releases later
|
|
* remove support for ADMIN_TOKEN
|
|
|
|
Dependencies
|
|
============
|
|
|
|
None
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
Will change how all downstream project initialize Keystone.
|
|
|
|
|
|
References
|
|
==========
|