<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">Keep in mind Keystone's database has what is considered privileged information in it. Notably user passwords (bcrypt or scrypt hashed) and user credentials (encrypted) Even with hashing, it is never recommended to expose these values externally. An example I give is: do you consider password hashes in your shadow file secure enough to publish publically? (The answer should be an emphatic "no"). Keystone also contains in many deployments PII (personally identifying information), while this is not explicitly part of Keystone nor recommended to store in Keystone, there could be other legal ramifications to expose of this data enmasse especially if the data would have been protected via the API.  </div><div dir="ltr"><br></div><div dir="ltr">I highly recommend, with a security hat on, not connecting and interacting with Keystone's database directly for this reason. It is possible, even with an ORM, someone will decide  to develop a mechanism to pull user related information or there may be exposure that can leak arbitrary data from within the DB. </div><div dir="ltr"><br></div><div dir="ltr">I will also echo concerns that you will have a hard time keeping up across versions with the various database schema changes. For example between stein and train keystone will have added resource options that are intended to communicate immutability for some resources. These are loaded behind the scenes with a join and translated to something usable via code. The referencing keys are minimalist and may be a simple ID or a 4-letter code instead of the full option name. I am sure Keystone is not the only Service that has conventions for data in the Database that do not translate to something useful without being run through the api code. </div><div dir="ltr"><br></div><div dir="ltr">—Morgan</div><div dir="ltr"><br></div><div dir="ltr"><br>On Aug 25, 2019, at 03:28, Douglas Zhang <<a href="mailto:lychzhz@gmail.com">lychzhz@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small"><p class="gmail-md-end-block gmail-md-p gmail-md-focus" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">Hello everyone,</span></p><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">Thanks for your attention and advice for this project. We have read each reply thoroughly and the good news is that we’re able to give answers to some questions raised by them.</span></p><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">As Lingxian Kong said:</span></p><blockquote style="box-sizing:border-box;margin:0.8em 0px;border-left:4px solid rgb(223,226,229);padding:0px 15px;color:rgb(119,119,119)"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.8em;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">I have a few questions/suggestions:</span></p><ol class="gmail-ol-list" style="box-sizing:border-box;margin:0.8em 0px 0px;padding-left:30px"><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">It'd be great and gain more attractions if you could provide a demo about how "openstack-admin" looks like</span></p></li><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">What OpenStack services has "openstack-admin" already integrated? Is it easy to integrate with others?</span></p></li></ol></blockquote><ol class="gmail-ol-list" style="box-sizing:border-box;margin:0.8em 0px;padding-left:30px"><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">We have deployed </span><span class="gmail-md-link" style="box-sizing:border-box"><a href="http://218.205.220.13:9384/login" style="box-sizing:border-box;color:rgb(65,131,196)"><span class="gmail-md-plain" style="box-sizing:border-box">openstack-admin</span></a><span class="gmail-md-plain" style="box-sizing:border-box"> on a mini openstack cluster as a demo, any access would be welcomed.</span></span></p><ul class="gmail-ul-list" style="box-sizing:border-box;margin:0px;padding-left:30px"><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">Username: </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">openstack-admin</code></span></p></li><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">Password: </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">@Dem0</code></span></p></li></ul></li><li><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap;display:inline!important"><span class="gmail-md-plain" style="box-sizing:border-box">Since openstack-admin gets information it needs by querying the sql database, it’s fairly easy to integrate with all openstack services.</span></p><ul class="gmail-ul-list" style="box-sizing:border-box;margin:0px;padding-left:30px"><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">As the demo shows, openstack-admin has integrated </span><span class="gmail-" style="box-sizing:border-box"><strong style="box-sizing:border-box"><span class="gmail-md-plain" style="box-sizing:border-box">nova</span></strong><span class="gmail-md-plain" style="box-sizing:border-box">(almost all </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">GET</code><span class="gmail-md-plain" style="box-sizing:border-box"> and part of </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">POST</code><span class="gmail-md-plain" style="box-sizing:border-box">), </span><span class="gmail-" style="box-sizing:border-box"><strong style="box-sizing:border-box"><span class="gmail-md-plain" style="box-sizing:border-box">cinder</span></strong><span class="gmail-md-plain" style="box-sizing:border-box">(</span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">GET</code><span class="gmail-md-plain" style="box-sizing:border-box"> and snapshot-creation), </span><span class="gmail-" style="box-sizing:border-box"><strong style="box-sizing:border-box"><span class="gmail-md-plain" style="box-sizing:border-box">neutron</span></strong><span class="gmail-md-plain" style="box-sizing:border-box">(subnets and ports), </span><span class="gmail-" style="box-sizing:border-box"><strong style="box-sizing:border-box"><span class="gmail-md-plain" style="box-sizing:border-box">keystone</span></strong><span class="gmail-md-plain" style="box-sizing:border-box">(projects) and </span><span class="gmail-" style="box-sizing:border-box"><strong style="box-sizing:border-box"><span class="gmail-md-plain" style="box-sizing:border-box">glance</span></strong><span class="gmail-md-plain" style="box-sizing:border-box">(images), that’s all we need in our own working environment.</span></span></span></span></span></span></span></span></span></p></li><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">If we need to integrate more services to openstack-admin(e.g. adding a </span><span class="gmail-" style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">create instance</code><span class="gmail-md-plain" style="box-sizing:border-box"> button or integrating with swift), it would not be a complex task, either.</span></span></p></li></ul></li></ol><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap;display:inline!important"><span class="gmail-md-plain" style="box-sizing:border-box">As Adrian Turjak said:</span></p><blockquote style="box-sizing:border-box;margin:0.8em 0px;border-left:4px solid rgb(223,226,229);padding:0px 15px;color:rgb(119,119,119)"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">The first major issue is that you connect to the databases of the services directly. That's a major issue, both for long term compatibility, and security. The APIs should always be the main point of contact and the ONLY contract that the services have to maintain. By connecting to the database directly you are now relying on a data structure that can, and likely will change, and any security and sanity checking on filters and queries is now handled on your layer rather than the application itself. Not only that, but your dashboard also now needs passwords for all the databases, and by the sounds of it all the message queues.</span></p></blockquote><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">And as Mohammed Naser said:</span></p><blockquote style="box-sizing:border-box;margin:0.8em 0px;border-left:4px solid rgb(223,226,229);padding:0px 15px;color:rgb(119,119,119)"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.8em;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">While I agree with you that querying database is much faster, this introduces two issues that I imagine for users:</span></p><ul class="gmail-ul-list" style="box-sizing:border-box;margin:0.8em 0px;padding-left:30px"><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">Dashboards generally having direct access via SQL is a scary thing from an operators perspective</span></p></li></ul><ul class="gmail-ul-list" style="box-sizing:border-box;margin:0.8em 0px 0px;padding-left:30px"><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">also, it will make maintaining the project quite hard because I don't think any projects expose a </span><span class="gmail-" style="box-sizing:border-box"><em style="box-sizing:border-box"><span class="gmail-md-plain" style="box-sizing:border-box">stable</span></em><span class="gmail-md-plain" style="box-sizing:border-box"> database API.</span></span></p></li></ul></blockquote><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">Well, we’re not surprised that our querying approach would be challenged since it does sound unsafe. However, we have made some efforts to solve problems which have been posed:</span></p><ul class="gmail-ul-list" style="box-sizing:border-box;margin:0.8em 0px;padding-left:30px"><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">We use a ORM library to create all queries, which ensures that only those instructions we have specified in the backend(i.e. </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">select</code><span class="gmail-md-plain" style="box-sizing:border-box">, </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">order by</code><span class="gmail-md-plain" style="box-sizing:border-box">, </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">where</code><span class="gmail-md-plain" style="box-sizing:border-box"> and other harmless querying instructions) could be executed, protecting our databases from dangerous attacks like SQL injection. All sanity or security checkings would be automatically completed by those library functions.</span></span></span></span></p></li><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">All instructions that </span><span class="gmail-" style="box-sizing:border-box"><strong style="box-sizing:border-box"><span class="gmail-md-plain" style="box-sizing:border-box">may</span></strong><span class="gmail-md-plain" style="box-sizing:border-box"> change the database(e.g. </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">start</code><span class="gmail-md-plain" style="box-sizing:border-box">, </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">shutoff</code><span class="gmail-md-plain" style="box-sizing:border-box">, </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">migrate</code><span class="gmail-md-plain" style="box-sizing:border-box">) would be executed by calling standard openstack API, only pure </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">GET</code><span class="gmail-md-plain" style="box-sizing:border-box"> instructions were implemented by querying databases directly. We have wrapped each API call with a </span><span style="box-sizing:border-box"><code style="box-sizing:border-box;border:1px solid rgb(231,234,237);background-color:rgb(243,244,244);border-radius:3px;padding:0px 2px;font-size:0.9em">go func() { ... }()</code><span class="gmail-md-plain" style="box-sizing:border-box"> to avoid the extremely long calling period. The results of API calls would be sent back to frontend by websocket asynchronously.</span></span></span></span></span></span></span></p></li></ul><ul class="gmail-ul-list" style="box-sizing:border-box;margin:0.8em 0px;padding-left:30px"><li class="gmail-md-list-item" style="box-sizing:border-box;margin:0px"><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0px 0px 0.5rem;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">Passwords of databases and message queues(and many other kinds of information) are stored in a config file which would be loaded by openstack-admin. Simply by modifying this file, we could be consistent with all changes about sql databases and MQs.</span></p></li></ul><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">I hope my explanation is clear enough, and we’re willing to solve other possible issues existing.</span></p><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap"><span class="gmail-md-plain" style="box-sizing:border-box">Cheers,</span></p><p class="gmail-md-end-block gmail-md-p" style="box-sizing:border-box;line-height:inherit;margin:0.8em 0px;white-space:pre-wrap"><span class="gmail-md-plain gmail-md-expand" style="box-sizing:border-box">Douglas Zhang</span></p></div></div>
</div></blockquote></body></html>