<div dir="ltr">In latest version of python-keystoneclient using admin_token in auth_token middleware was depracted. So in future we need to create configuration similar to openstack with nailgun_service user. In that configuration there should be no problem with upgrades.<div>
We can do it after 5.1.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 28, 2014 at 5:28 PM, Evgeniy L <span dir="ltr"><<a href="mailto:eli@mirantis.com" target="_blank">eli@mirantis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi,</div><div><br></div><div>1. yes, we can do it, if it's possible to create new user with admin_token. But it will complicate upgrade process and will take some time to design/implement and test, because I see several new cases, for example we need to create new user in previous version of the container (we use nailgun api before upgrade too), and then in new container, and in case of rollback delete it from previous container.</div>
<div><br></div>2. afaik, this config is not in the container, it's on the host system, and it will be replaced by puppet on the host system</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">
On Mon, Jul 28, 2014 at 6:37 PM, Lukasz Oles <span dir="ltr"><<a href="mailto:loles@mirantis.com" target="_blank">loles@mirantis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">As I said in another topic, storing user password in plain text is not an option. <div><br></div><div>Ad. 1.<div>
We can create special "upgrade_user" with the same rights as admin user. We can use it to authenticate in nailgun. It can be done after 5.1 release. </div>
<div><br></div><div>Ad. 2.</div><div>In perfect world during upgrade /etc/fuel/client/config.yaml should be copied to new container. If it's not possible, warning in documentation should be ok.</div></div><div><br></div>
<div>Regards</div></div><div class="gmail_extra"><div><div><br><br><div class="gmail_quote">On Mon, Jul 28, 2014 at 3:59 PM, Mike Scherbakov <span dir="ltr"><<a href="mailto:mscherbakov@mirantis.com" target="_blank">mscherbakov@mirantis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Lukasz,<div>what do you think on this? Is someone addressing the issues mentioned by Evgeny?</div><div>
<br>
</div><div>Thanks,</div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jul 25, 2014 at 3:31 PM, Evgeniy L <span dir="ltr"><<a href="mailto:eli@mirantis.com" target="_blank">eli@mirantis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I have several concerns about password changing.</div><div><div><br></div>
<div>>> <span style="font-family:arial,helvetica,sans-serif;font-size:13px">Default password can be changed via UI or via fuel-cli. In case of changing password via UI or fuel-cli password is not stored in any file only in keystone</span></div>
<div><span style="font-family:arial,helvetica,sans-serif;font-size:13px"><br></span></div></div><div><font face="arial, helvetica, sans-serif">It's important to change password in /etc/fuel/astute.yaml</font></div><div>
<font face="arial, helvetica, sans-serif">otherwise it will be impossible for user to run upgrade,</font></div>
<div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">1. upgrade system uses credentials from </font><span style="font-family:arial,helvetica,sans-serif">/etc/fuel/astute.yaml</span></div>
<div><span style="font-family:arial,helvetica,sans-serif"> to authenticate in nailgun</span></div><div><span style="font-family:arial,helvetica,sans-serif">2. upgrade system runs puppet to upgrade dockerctl/fuelclient</span></div>
<div><span style="font-family:arial,helvetica,sans-serif"> on the host system, puppet uses credentials from /etc/fuel/astute.yaml</span></div><div><span style="font-family:arial,helvetica,sans-serif"> to update config </span><span style="font-family:arial,helvetica,sans-serif;font-size:13px">/etc/fuel/client/config.yaml [1], even if user changed</span></div>
<div><span style="font-family:arial,helvetica,sans-serif;font-size:13px"> the password in the config for fuelclient, it will be overwritten after upgrade</span></div><div><span style="font-family:arial,helvetica,sans-serif;font-size:13px"><br>
</span></div><div>If we don't want to change credentials in <span style="font-family:arial,helvetica,sans-serif">/etc/fuel/astute.yaml</span></div><div><span style="font-family:arial,helvetica,sans-serif">lets at least add some warning in the documentation.</span></div>
<div><span style="font-family:arial,helvetica,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,helvetica,sans-serif;font-size:13px">[1] </span><span style="font-family:arial,helvetica,sans-serif"><a href="https://github.com/stackforge/fuel-library/blob/705dc089037757ed8c5a25c4cf78df71f9bd33b0/deployment/puppet/nailgun/examples/host-only.pp#L51-L55" target="_blank">https://github.com/stackforge/fuel-library/blob/705dc089037757ed8c5a25c4cf78df71f9bd33b0/deployment/puppet/nailgun/examples/host-only.pp#L51-L55</a></span></div>
<div><span style="font-family:arial,helvetica,sans-serif;font-size:13px"><br></span></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 24, 2014 at 6:17 PM, Lukasz Oles <span dir="ltr"><<a href="mailto:loles@mirantis.com" target="_blank">loles@mirantis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi all,<div><br></div><div>one more thing. You do not need to install keystone in your development environment. By default it runs there in fake mode. Keystone mode is enabled only on iso. If you want to test it locally you have to install keystone and configure nailgun as Kamil explained.</div>
<div><br></div><div>Regards,</div></div><div class="gmail_extra"><div><div><br><br><div class="gmail_quote">On Thu, Jul 24, 2014 at 3:57 PM, Mike Scherbakov <span dir="ltr"><<a href="mailto:mscherbakov@mirantis.com" target="_blank">mscherbakov@mirantis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Kamil,<div>thank you for the detailed information.</div><div><br></div><div>Meg, do we have anything documented about authx yet? I think Kamil's email can be used as a source to prepare user and operation guides for Fuel 5.1.</div>
<div><br></div><div>Thanks,</div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>On Thu, Jul 24, 2014 at 5:45 PM, Kamil Sambor <span dir="ltr"><<a href="mailto:ksambor@mirantis.com" target="_blank">ksambor@mirantis.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr"><div style="font-family:arial,sans-serif;font-size:13px"><font face="arial, helvetica, sans-serif">Hi folks,</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">
<font face="arial, helvetica, sans-serif">All parts of code related to stage I and II from blueprint </font><a href="http://docs-draft.openstack.org/29/96429/11/gate/gate-fuel-specs-docs/2807f30/doc/build/html/specs/5.1/access-control-master-node.html" target="_blank">http://docs-draft.openstack.org/29/96429/11/gate/gate-fuel-specs-docs/2807f30/doc/build/html/specs/5.1/access-control-master-node.htm</a><font face="arial, helvetica, sans-serif"> are merged. In result of that, fuel (api and UI) </font><span style="font-family:arial,helvetica,sans-serif"> we now have authentication via keystone and now is required as default. Keystone is installed in new container during master installation. We can configure password via fuelmenu during installation (default user:password - admin:admin). Password is saved in astute.yaml, also admin_token is stored here.</span></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font face="arial, helvetica, sans-serif">Almost all endpoints in fuel are protected and they required authentication token. We made exception for few endpoints and they are defined in nailgun/middleware/keystone.py in public_url .</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font face="arial, helvetica, sans-serif">Default password can be changed via UI or via fuel-cli. In case of changing password via UI or fuel-cli password is not stored in any file only in keystone, so if you forgot password you can change it using keystone client from master node and admin_token from astute.yaml using command: keystone --os-endpoint=<a href="http://10.20.0.2:35357/v2.0" target="_blank">http://10.20.0.2:35357/v2.0</a> --os-token=admin_token password-update .</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font face="arial, helvetica, sans-serif">Fuel client now use for authentication user and passwords which are stored in /etc/fuel/client/config.yaml. Password in this file is not changed during changing via fuel-cli or UI, user must change this password manualy. If user don't want use config file can provide user and password to fuel-cli by flags: --os-username=admin --os-password=test. We added also possibilities to change password via fuel-cli, to do this we should execute: fuel user --change-password --new-pass=new . </font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font face="arial, helvetica, sans-serif">To run or disable authentication we should change /etc/nailgun/settings.yaml (AUTHENTICATION_METHOD) in nailgun container.</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font face="arial, helvetica, sans-serif"><br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><font face="arial, helvetica, sans-serif">Best regards,</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><font face="arial, helvetica, sans-serif">Kamil S.</font></div></div>
<br></div></div>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Mike Scherbakov<br>#mihgen<br><br></div>
</font></span></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br></div></div><div dir="ltr">Łukasz Oleś</div>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Mike Scherbakov<br>#mihgen<br><br></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div dir="ltr">Łukasz Oleś</div>
</font></span></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Łukasz Oleś</div>
</div>