[Openstack-security] [Bug 1450454] Re: RFE: allow admin to upload SSH keypair on behalf of an user
Sylvain Bauza
sbauza at free.fr
Thu May 7 19:38:24 UTC 2015
** Changed in: nova
Importance: Undecided => Wishlist
** Summary changed:
- RFE: allow admin to upload SSH keypair on behalf of an user
+ Allow admin to upload SSH keypair on behalf of an user
** Tags added: api security
** Tags removed: security
** Tags added: low-hanging-fruit
** Changed in: nova
Status: New => Confirmed
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1450454
Title:
Allow admin to upload SSH keypair on behalf of an user
Status in OpenStack Compute (Nova):
Confirmed
Bug description:
I am setting up OpenStack instance configuration in Ansible manifest,
so in case of a failure, I can rebuild the instance. We have a lot of
users and we have central storage of their ssh keys.
I can upload the SSH keys at early hours of OpenStack instance by:
nova --os-username USER1 --os-password USER1_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1
However this require that we track the password we initially set and I could not do that once user changes his password (and I do not know the password).
I can then do:
nova --os-username ADMIN --os-password ADMIN_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1
but then user1 does not see this keypair and is unable to manage his own key.
It would be nice if admin user can upload and delete ssh key on behalf
of user. I.e. admin uploads ssh key for user and that user can
see/delete that ssh key.
This way when user alter his ssh key on central repository, we can
sync it to OpenStack. It will tighten security because we would not
need to track users initial passwords separetely. And lower need of
human assistance when reprovision whole OpenStack infrastructure.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1450454/+subscriptions
More information about the Openstack-security
mailing list