From 6bb15ffa89046caad09a4046efd3ed82fd20bb33 Mon Sep 17 00:00:00 2001 From: ramishra Date: Wed, 16 Jun 2021 15:04:25 +0530 Subject: [PATCH] Add spec for keystoneless undercloud Propose deploying undercloud without keystone. Change-Id: I78bccf6eecedc11e45c862f660eac47b42cefde4 --- specs/xena/keystoneless-undercloud.rst | 196 +++++++++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100644 specs/xena/keystoneless-undercloud.rst diff --git a/specs/xena/keystoneless-undercloud.rst b/specs/xena/keystoneless-undercloud.rst new file mode 100644 index 00000000..0fba8852 --- /dev/null +++ b/specs/xena/keystoneless-undercloud.rst @@ -0,0 +1,196 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +====================================================== +Support Keystoneless Undercloud (basic auth or noauth) +====================================================== + +The goal of this proposal is to introduce the community to the idea of +removing Keystone from TripleO undercloud and run the remaining OpenStack +services either with basic authentication or noauth (i.e. Standalone mode). + + +Problem Description +=================== + +With the goal of having a thin undercloud we've been simplifying the +undercloud architecture since a few cycles and have removed a number +of OpenStack services. After moving to use `network_data_v2`_ and +`ephemeral_heat`_ by default, we are left only with neutron, ironic +and ironic-inspector services. + +Keystone authentication and authorization does not add lot of value to the +undercloud. We use `admin` and `admin` project for everything. There are +also few service users (one per service) for communication between services. +Most of the overcloud deployment and configuration is done as the os user. +Also, for large deployments we increase token expiration time to a large +value which is orthogonal to keystone security. + + +Proposed Change +=============== + +Overview +-------- + +At present, we have keystone running in the undercloud providing catalog, +authentication/authorization services to the remaining deployed services +neutron, ironic and ironic-inspector. Ephemeral heat uses a fake keystone +client which does not talk to keystone. + +All these remaining services are capabale of running standalone using either +`http_basic` or `noauth` auth_strategy and clients using openstacksdk and +keystoneauth can use `HTTPBasicAuth` or `NoAuth` identity plugins with the +standalone services. + +The proposal is to deploy these OpenStack services either with basic auth or +noauth and remove keystone from the undercloud by default. + +- Deploy ironic/ironic-inspector/neutron with `http_basic` (default) or `noauth` + +This would also allow us to remove some additional services like `memcached` +from the undercloud mainly used for authtoken caching. + + +Alternatives +------------ + +- Keep keystone in the undercloud as before. + + +Security Impact +--------------- + +There should not be any significant security implications by disabling keystone +on the undercloud as there are no multi-tenancy and RABC requirements for +undercloud users/operators. Deploying baremetal and networking services with `http_basic` authentication would protect against any possible intrusion as before. + + +Upgrade Impact +-------------- + +There will be no upgrade impact; this change will be transparent to the +end-user. + + +Other End User Impact +--------------------- + +None. + + +Performance Impact +------------------ + +Disabling authentication and authorization would make the API calls faster and +the overall resource requirements of undercloud would reduce. + + +Other Deployer Impact +--------------------- + +None + +Developer Impact +---------------- + +None. + + +Implementation +============== + +- Add THT support for configuring `auth_strategy` for ironic and neutron + services and manage htpasswd files used for basic authentication by the + ironic services. + +.. code-block:: yaml + + IronicAuthStrategy: http_basic + NeutronAuthStrategy: http_basic + +- Normally, Identity service middleware provides a X-Project-Id header based on + the authentication token submitted by the service client. However when keystone + is not available neutron expects `project_id` in the `POST` requests (i.e create + API). Also, metalsmith communicates with `neutron` to create `ctlplane` ports for + instances. + + Add a middleware for neutron API `http_basic` pipeline to inject a fake project_id + in the context. + +- Add basic authentication middleware to oslo.middleware and use it for undercloud + neutron. + +- Create/Update clouds.yaml to use `auth_type: http_basic` and use endpoint overrides + for the public endpoints with `_endpoint_override` entries. We + would leverage the `EndpointMap` and change `extraconfig/post_deploy` to create + and update clouds.yaml. + +.. code-block:: yaml + + clouds: + undercloud: + auth: + password: piJsuvz3lKUtCInsiaQd4GZ1w + username: admin + auth_type: http_basic + baremetal_api_version: '1' + baremetal_endpoint_override: https://192.168.24.2:13385 + baremetal_introspection_endpoint_override: https://192.168.24.2:13050 + network_api_version: '2' + network_endpoint_override: https://192.168.24.2:13696 + +Assignee(s) +----------- + +Primary assignee: + ramishra + +Other contributors: + + +Work Items +---------- + +- Add basic authentication middleware in oslo.middleware + https://review.opendev.org/c/openstack/oslo.middleware/+/802234 +- Support `auth_strategy` with ironic and neutron services + https://review.opendev.org/c/openstack/tripleo-heat-templates/+/798241 +- Neutron middleware to add fake project_id to noauth pipleline + https://review.opendev.org/c/openstack/neutron/+/799162 +- Configure neutron paste deploy for basic authentication + https://review.opendev.org/c/openstack/tripleo-heat-templates/+/804598 +- Disable keystone by default + https://review.opendev.org/c/openstack/tripleo-heat-templates/+/794912 +- Add option to enable keystone if required + https://review.opendev.org/c/openstack/python-tripleoclient/+/799409 +- Other patches: + https://review.opendev.org/c/openstack/tripleo-ansible/+/796991 + https://review.opendev.org/c/openstack/tripleo-common/+/796825 + https://review.opendev.org/c/openstack/tripleo-ansible/+/797381 + https://review.opendev.org/c/openstack/tripleo-heat-templates/+/799408 + + +Dependencies +============ + +Ephemeral heat and network-data-v2 are used as defaults. + + +Documentation Impact +==================== + +Update the undercloud installation and upgrade guides. + + +References +========== + +* `network_data_v2`_ specification +* `ephemeral_heat`_ specification + +.. _network_data_v2: https://specs.openstack.org/openstack/tripleo-specs/specs/wallaby/triplo-network-data-v2-node-ports.html +.. _ephemeral_heat: https://specs.openstack.org/openstack/tripleo-specs/specs/wallaby/ephemeral-heat-overcloud.html