[openstack-dev] [Fuel] Additional user account in the OpenStack for fetching OpenStack workloads

Andrew Woodward xarses at gmail.com
Thu Feb 19 17:04:18 UTC 2015


We should assume that the admin credentials are already invalid. We have
some possible options that I can think of

Create an additional user. The risk here is that it will be deleted,
disabled or re-keyed as the same with admin.
Use the existing service accounts (nova, neutron, keystone, cinder) (this
is the plan for removing deps on ~/openrc)


> The questions are:
>
>    1. Is anybody have feature, which also requires additional OpenStack
>    user?
>
> moving from admin / openrc back to service accounts

>
>    1. We need only readonly access for fetching workloads. But if anybody
>    want to use this user for other tasks, we can grant required rights to the
>    user. Should we create user with full access or restrict them to readonly
>    access?
>
> read only would be preferred, we should have the least amount of access
possible to complete the snooping. It reduces attack surfaces

>
>    1. Is the credentials of user should be the same for all environments?
>
> I would attempt to keep them unique per env

>
>    1. Where the best place for storing credentials of the user? DB or
>    yaml?
>
> It will have to be sent to the yaml in order to get the deployment task to
create it, but you will also want to store it in the db.

>
>    1. Should we have UI for changing credentials?
>
> Yes, we should probably be able to change the credential, however I could
see it being postponed untill 7.0

>
>    1. May be we should use 'admin' user credentials and just notify in
>    the UI if credentials are not valid and we can't collect workloads?
>
> We can and should consider the admin credentials invalid and should not
use them

Please, share your thoughts.
>



On Tue, Feb 10, 2015 at 3:02 AM, Alexander Kislitsky <
akislitsky at mirantis.com> wrote:

> Folks,
>
> We are collecting OpenStack workloads stats. For authentication in the
> keystone we are using admin user credentials from Nailgun. Credentials can
> be changed directly in the OpenStack and we will loose possibility of
> fetching information.
>
> This issue can be fixed by creation additional user account:
>
>    1. I propose to generate additional user credentials after master node
>    is installed and store it into master_node_settings table in the Nailgun.
>    2. Add abstraction layer into
>    https://github.com/stackforge/fuel-web/blob/master/nailgun/nailgun/statistics/utils.py#L47
>    for creating additional user in the OpenStack if it isn't exists.
>
> But this additional user can be useful for other purposes and may be we
> should save credentials in other place (settings.yaml for example). And may
> be creation of the additional user should be implemented outside of stats
> collecting feature and may be outside of Nailgun.
>
> Please share your thoughts on this.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Andrew
Mirantis
Fuel community ambassador
Ceph community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150219/b5b6afe3/attachment.html>


More information about the OpenStack-dev mailing list