Open Stack

** Changed in: nova
   Importance: Undecided => Wishlist

** Summary changed:

- RFE: allow admin to upload SSH keypair on behalf of an user
+ Allow admin to upload SSH keypair on behalf of an user

** Tags added: api security

** Tags removed: security

** Tags added: low-hanging-fruit

** Changed in: nova
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1450454

Title:
  Allow admin to upload SSH keypair on behalf of an user

Status in OpenStack Compute (Nova):
  Confirmed

Bug description:
  I am setting up OpenStack instance configuration in Ansible manifest,
  so in case of a failure, I can rebuild the instance. We have a lot of
  users and we have central storage of their ssh keys.

  I can upload the SSH keys at early hours of OpenStack instance by:
    nova --os-username USER1 --os-password USER1_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1

  However this require that we track the password we initially set and I could not do that once user changes his password (and I do not know the password).
  I can then do:
    nova --os-username ADMIN --os-password ADMIN_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1
  but then  user1 does not see this keypair and is unable to manage his own key.

  It would be nice if admin user can upload and delete ssh key on behalf
  of user. I.e. admin uploads ssh key  for user and that user can
  see/delete that ssh key.

  This way when user alter his ssh key on central repository, we can
  sync it to OpenStack. It will tighten security because we would not
  need to track users initial passwords separetely. And lower need of
  human assistance when reprovision whole OpenStack infrastructure.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1450454/+subscriptions