[openstack-dev] [Fuel] Authentication is turned on - Fuel API and UI
Mike Scherbakov
mscherbakov at mirantis.com
Mon Jul 28 13:59:55 UTC 2014
Lukasz,
what do you think on this? Is someone addressing the issues mentioned by
Evgeny?
Thanks,
On Fri, Jul 25, 2014 at 3:31 PM, Evgeniy L <eli at mirantis.com> wrote:
> Hi,
>
> I have several concerns about password changing.
>
> >> Default password can be changed via UI or via fuel-cli. In case of
> changing password via UI or fuel-cli password is not stored in any file
> only in keystone
>
> It's important to change password in /etc/fuel/astute.yaml
> otherwise it will be impossible for user to run upgrade,
>
> 1. upgrade system uses credentials from /etc/fuel/astute.yaml
> to authenticate in nailgun
> 2. upgrade system runs puppet to upgrade dockerctl/fuelclient
> on the host system, puppet uses credentials from /etc/fuel/astute.yaml
> to update config /etc/fuel/client/config.yaml [1], even if user
> changed
> the password in the config for fuelclient, it will be overwritten
> after upgrade
>
> If we don't want to change credentials in /etc/fuel/astute.yaml
> lets at least add some warning in the documentation.
>
> [1]
> https://github.com/stackforge/fuel-library/blob/705dc089037757ed8c5a25c4cf78df71f9bd33b0/deployment/puppet/nailgun/examples/host-only.pp#L51-L55
>
>
>
> On Thu, Jul 24, 2014 at 6:17 PM, Lukasz Oles <loles at mirantis.com> wrote:
>
>> Hi all,
>>
>> one more thing. You do not need to install keystone in your development
>> environment. By default it runs there in fake mode. Keystone mode is
>> enabled only on iso. If you want to test it locally you have to install
>> keystone and configure nailgun as Kamil explained.
>>
>> Regards,
>>
>>
>> On Thu, Jul 24, 2014 at 3:57 PM, Mike Scherbakov <
>> mscherbakov at mirantis.com> wrote:
>>
>>> Kamil,
>>> thank you for the detailed information.
>>>
>>> Meg, do we have anything documented about authx yet? I think Kamil's
>>> email can be used as a source to prepare user and operation guides for Fuel
>>> 5.1.
>>>
>>> Thanks,
>>>
>>>
>>> On Thu, Jul 24, 2014 at 5:45 PM, Kamil Sambor <ksambor at mirantis.com>
>>> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> All parts of code related to stage I and II from blueprint
>>>> http://docs-draft.openstack.org/29/96429/11/gate/gate-fuel-specs-docs/2807f30/doc/build/html/specs/5.1/access-control-master-node.htm
>>>> <http://docs-draft.openstack.org/29/96429/11/gate/gate-fuel-specs-docs/2807f30/doc/build/html/specs/5.1/access-control-master-node.html> are
>>>> merged. In result of that, fuel (api and UI) we now have
>>>> authentication via keystone and now is required as default. Keystone is
>>>> installed in new container during master installation. We can configure
>>>> password via fuelmenu during installation (default user:password -
>>>> admin:admin). Password is saved in astute.yaml, also admin_token is stored
>>>> here.
>>>> Almost all endpoints in fuel are protected and they required
>>>> authentication token. We made exception for few endpoints and they are
>>>> defined in nailgun/middleware/keystone.py in public_url .
>>>> Default password can be changed via UI or via fuel-cli. In case of
>>>> changing password via UI or fuel-cli password is not stored in any file
>>>> only in keystone, so if you forgot password you can change it using
>>>> keystone client from master node and admin_token from astute.yaml using
>>>> command: keystone --os-endpoint=http://10.20.0.2:35357/v2.0 --os-token=admin_token
>>>> password-update .
>>>> Fuel client now use for authentication user and passwords which are
>>>> stored in /etc/fuel/client/config.yaml. Password in this file is not
>>>> changed during changing via fuel-cli or UI, user must change this password
>>>> manualy. If user don't want use config file can provide user and password
>>>> to fuel-cli by flags: --os-username=admin --os-password=test. We added also
>>>> possibilities to change password via fuel-cli, to do this we should
>>>> execute: fuel user --change-password --new-pass=new .
>>>> To run or disable authentication we should change
>>>> /etc/nailgun/settings.yaml (AUTHENTICATION_METHOD) in nailgun container.
>>>>
>>>> Best regards,
>>>> Kamil S.
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Mike Scherbakov
>>> #mihgen
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>> Łukasz Oleś
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Mike Scherbakov
#mihgen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140728/2e69858a/attachment.html>
More information about the OpenStack-dev
mailing list