[openstack-dev] [Fuel] [OSTF] OSTF stops working after password is changed
Vitaly Kramskikh
vkramskikh at mirantis.com
Tue Jul 15 16:28:24 UTC 2014
We had a short discussion and decided to implement this feature for 5.1 in
this way:
1. Do not store credentials at all even in browser
2. Do not implement specific handling of auth errors
3. Make the form hidden by default; it can be shown by clicking a button
4. There will be a short description
It will look like this:
http://i.imgur.com/0Uwx0M5.png
http://i.imgur.com/VF1skHw.png
I think we'll change the button text to "Provide Credentials" and the
description to "If you changed the credentials after deployment, you need
to provide new ones to run the checks. The credentials won't be stored
anywhere.". Your suggestions are welcome.
2014-07-12 2:54 GMT+04:00 David Easter <deaster at mirantis.com>:
> I think showing this only upon failure is good – if the user is also given
> the option to sore the credentials in the browser. That way, you only have
> to re-enter the credentials once if you want convenience, or do it every
> time if you want improved security.
>
> One downside would be that if you don’t cache the credentials, you’ll have
> to “fail” the auth every time to be given the chance to re-enter the
> credentials. It may not be obvious that clicking “run tests” will then let
> you enter new credentials. I was thinking that having a button you can
> press to enter the credentials would make it more obvious, but wouldn’t
> reduce the number of clicks… I.e. either run tests and fail or click “Enter
> credentials” and enter new ones. The “Enter credential” option would
> obviously be a little faster…
>
> - David J. Easter
> Director of Product Management, Mirantis, Inc.
>
> From: Mike Scherbakov <mscherbakov at mirantis.com>
> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
> Date: Friday, July 11, 2014 at 2:36 PM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
> Subject: Re: [openstack-dev] [Fuel] [OSTF] OSTF stops working after
> password is changed
>
> I'm wondering if we can show all these windows ONLY if there is authz
> failure with existing credentials from Nailgun.
> So the flow would be: user clicks on "Run tests" button, healthcheck tries
> to access OpenStack and fails. It shows up text fields to enter
> tenant/user/pass with the message similar to "Default administrative
> credentials to OpenStack were changed since the deployment time. Please
> provide current credentials so HealthCheck can access OpenStack and run
> verification tests."
>
> I think it should be more obvious this way...
>
> Anyone, it must be a choice for a user, if he wants to store creds in a
> browser.
>
>
> On Fri, Jul 11, 2014 at 8:50 PM, Vitaly Kramskikh <vkramskikh at mirantis.com
> > wrote:
>
>> Hi,
>>
>> In the current implementation we store provided credentials in browser
>> local storage. What's your opinion on that? Maybe we shouldn't store new
>> credentials at all even in browser? So users have to enter them manually
>> every time they want to run OSTF.
>>
>>
>> 2014-06-25 13:47 GMT+04:00 Dmitriy Shulyak <dshulyak at mirantis.com>:
>>
>> It is possible to change everything so username, password and tenant
>>> fields
>>>
>>> Also this way we will be able to run tests not only as admin user
>>>
>>>
>>> On Wed, Jun 25, 2014 at 12:29 PM, Vitaly Kramskikh <
>>> vkramskikh at mirantis.com> wrote:
>>>
>>>> Dmitry,
>>>>
>>>> Fields or field? Do we need to provide password only or other
>>>> credentials are needed?
>>>>
>>>>
>>>> 2014-06-25 13:02 GMT+04:00 Dmitriy Shulyak <dshulyak at mirantis.com>:
>>>>
>>>> Looks like we will stick to #2 option, as most reliable one.
>>>>>
>>>>> - we have no way to know that openrc is changed, even if some scripts
>>>>> relies on it - ostf should not fail with auth error
>>>>> - we can create ostf user in post-deployment stage, but i heard that
>>>>> some ceilometer tests relied on admin user, also
>>>>> operator may not want to create additional user, for some reasons
>>>>>
>>>>> So, everybody is ok with additional fields on HealthCheck tab?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 20, 2014 at 8:17 PM, Andrew Woodward <xarses at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> The openrc file has to be up to date for some of the HA scripts to
>>>>>> work, we could just source that.
>>>>>>
>>>>>> On Fri, Jun 20, 2014 at 12:12 AM, Sergii Golovatiuk
>>>>>> <sgolovatiuk at mirantis.com> wrote:
>>>>>> > +1 for #2.
>>>>>> >
>>>>>> > ~Sergii
>>>>>> >
>>>>>> >
>>>>>> > On Fri, Jun 20, 2014 at 1:21 AM, Andrey Danin <adanin at mirantis.com>
>>>>>> wrote:
>>>>>> >>
>>>>>> >> +1 to Mike. Let the user provide actual credentials and use them
>>>>>> in place.
>>>>>> >>
>>>>>> >>
>>>>>> >> On Fri, Jun 20, 2014 at 2:01 AM, Mike Scherbakov
>>>>>> >> <mscherbakov at mirantis.com> wrote:
>>>>>> >>>
>>>>>> >>> I'm in favor of #2. I think users might not want to have their
>>>>>> password
>>>>>> >>> stored in Fuel Master node.
>>>>>> >>> And if so, then it actually means we should not save it when user
>>>>>> >>> provides it on HealthCheck tab.
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> On Thu, Jun 19, 2014 at 8:05 PM, Vitaly Kramskikh
>>>>>> >>> <vkramskikh at mirantis.com> wrote:
>>>>>> >>>>
>>>>>> >>>> Hi folks,
>>>>>> >>>>
>>>>>> >>>> We have a bug which prevents OSTF from working if user changes a
>>>>>> >>>> password which was using for the initial installation. I skimmed
>>>>>> through the
>>>>>> >>>> comments and it seems there are 2 viable options:
>>>>>> >>>>
>>>>>> >>>> Create a separate user just for OSTF during OpenStack
>>>>>> installation
>>>>>> >>>> Provide a field for a password in UI so user could provide actual
>>>>>> >>>> password in case it was changed
>>>>>> >>>>
>>>>>> >>>> What do you guys think? Which options is better?
>>>>>> >>>>
>>>>>> >>>> --
>>>>>> >>>> Vitaly Kramskikh,
>>>>>> >>>> Software Engineer,
>>>>>> >>>> Mirantis, Inc.
>>>>>> >>>>
>>>>>> >>>> _______________________________________________
>>>>>> >>>> OpenStack-dev mailing list
>>>>>> >>>> OpenStack-dev at lists.openstack.org
>>>>>> >>>>
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>> >>>>
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> --
>>>>>> >>> Mike Scherbakov
>>>>>> >>> #mihgen
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> _______________________________________________
>>>>>> >>> OpenStack-dev mailing list
>>>>>> >>> OpenStack-dev at lists.openstack.org
>>>>>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>> >>>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >> --
>>>>>> >> Andrey Danin
>>>>>> >> adanin at mirantis.com
>>>>>> >> skype: gcon.monolake
>>>>>> >>
>>>>>> >> _______________________________________________
>>>>>> >> OpenStack-dev mailing list
>>>>>> >> OpenStack-dev at lists.openstack.org
>>>>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>> >>
>>>>>> >
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > OpenStack-dev mailing list
>>>>>> > OpenStack-dev at lists.openstack.org
>>>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>> >
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Andrew
>>>>>> Mirantis
>>>>>> Ceph community
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev at lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Vitaly Kramskikh,
>>>> Software Engineer,
>>>> Mirantis, Inc.
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>> Vitaly Kramskikh,
>> Software Engineer,
>> Mirantis, Inc.
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Mike Scherbakov
> #mihgen
>
> _______________________________________________ OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Vitaly Kramskikh,
Software Engineer,
Mirantis, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140715/157be540/attachment.html>
More information about the OpenStack-dev
mailing list