[openstack-dev] [Fuel] Authentication is turned on - Fuel API and UI

Evgeniy L eli at mirantis.com
Fri Jul 25 11:31:15 UTC 2014


Hi,

I have several concerns about password changing.

>> Default password can be changed via UI or via fuel-cli. In case of
changing password via UI or fuel-cli password is not stored in any file
only in keystone

It's important to change password in /etc/fuel/astute.yaml
otherwise it will be impossible for user to run upgrade,

1. upgrade system uses credentials from /etc/fuel/astute.yaml
    to authenticate in nailgun
2. upgrade system runs puppet to upgrade dockerctl/fuelclient
    on the host system, puppet uses credentials from /etc/fuel/astute.yaml
    to update config /etc/fuel/client/config.yaml [1], even if user changed
    the password in the config for fuelclient, it will be overwritten after
upgrade

If we don't want to change credentials in /etc/fuel/astute.yaml
lets at least add some warning in the documentation.

[1]
https://github.com/stackforge/fuel-library/blob/705dc089037757ed8c5a25c4cf78df71f9bd33b0/deployment/puppet/nailgun/examples/host-only.pp#L51-L55



On Thu, Jul 24, 2014 at 6:17 PM, Lukasz Oles <loles at mirantis.com> wrote:

> Hi all,
>
> one more thing. You do not need to install keystone in your development
> environment. By default it runs there in fake mode. Keystone mode is
> enabled only on iso. If you want to test it locally you have to install
> keystone and configure nailgun as Kamil explained.
>
> Regards,
>
>
> On Thu, Jul 24, 2014 at 3:57 PM, Mike Scherbakov <mscherbakov at mirantis.com
> > wrote:
>
>> Kamil,
>> thank you for the detailed information.
>>
>> Meg, do we have anything documented about authx yet? I think Kamil's
>> email can be used as a source to prepare user and operation guides for Fuel
>> 5.1.
>>
>> Thanks,
>>
>>
>> On Thu, Jul 24, 2014 at 5:45 PM, Kamil Sambor <ksambor at mirantis.com>
>> wrote:
>>
>>> Hi folks,
>>>
>>> All parts of code related to stage I and II from blueprint
>>> http://docs-draft.openstack.org/29/96429/11/gate/gate-fuel-specs-docs/2807f30/doc/build/html/specs/5.1/access-control-master-node.htm
>>> <http://docs-draft.openstack.org/29/96429/11/gate/gate-fuel-specs-docs/2807f30/doc/build/html/specs/5.1/access-control-master-node.html> are
>>> merged. In result of that, fuel (api and UI)  we now have
>>> authentication via keystone and now is required as default. Keystone is
>>> installed in new container during master installation. We can configure
>>> password via fuelmenu during installation (default user:password -
>>> admin:admin). Password is saved in astute.yaml, also admin_token is stored
>>> here.
>>> Almost all endpoints in fuel are protected and they required
>>> authentication token. We made exception for few endpoints and they are
>>> defined in nailgun/middleware/keystone.py in public_url .
>>> Default password can be changed via UI or via fuel-cli. In case of
>>> changing password via UI or fuel-cli password is not stored in any file
>>> only in keystone, so if you forgot password you can change it using
>>> keystone client from master node and admin_token from astute.yaml using
>>> command: keystone --os-endpoint=http://10.20.0.2:35357/v2.0 --os-token=admin_token
>>> password-update .
>>> Fuel client now use for authentication user and passwords which are
>>> stored in /etc/fuel/client/config.yaml. Password in this file is not
>>> changed during changing via fuel-cli or UI, user must change this password
>>> manualy. If user don't want use config file can provide user and password
>>> to fuel-cli by flags: --os-username=admin --os-password=test. We added also
>>> possibilities to change password via fuel-cli, to do this we should
>>> execute: fuel user --change-password --new-pass=new .
>>> To run or disable authentication we should change
>>> /etc/nailgun/settings.yaml (AUTHENTICATION_METHOD) in nailgun container.
>>>
>>> Best regards,
>>> Kamil S.
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>> Mike Scherbakov
>> #mihgen
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Łukasz Oleś
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140725/12054a7a/attachment.html>


More information about the OpenStack-dev mailing list