[openstack-dev] [Fuel] Authentication is turned on - Fuel API and UI
Lukasz Oles
loles at mirantis.com
Mon Jul 28 14:37:38 UTC 2014
As I said in another topic, storing user password in plain text is not an
option.
Ad. 1.
We can create special "upgrade_user" with the same rights as admin user. We
can use it to authenticate in nailgun. It can be done after 5.1 release.
Ad. 2.
In perfect world during upgrade /etc/fuel/client/config.yaml should be
copied to new container. If it's not possible, warning in documentation
should be ok.
Regards
On Mon, Jul 28, 2014 at 3:59 PM, Mike Scherbakov <mscherbakov at mirantis.com>
wrote:
> Lukasz,
> what do you think on this? Is someone addressing the issues mentioned by
> Evgeny?
>
> Thanks,
>
>
> On Fri, Jul 25, 2014 at 3:31 PM, Evgeniy L <eli at mirantis.com> wrote:
>
>> Hi,
>>
>> I have several concerns about password changing.
>>
>> >> Default password can be changed via UI or via fuel-cli. In case of
>> changing password via UI or fuel-cli password is not stored in any file
>> only in keystone
>>
>> It's important to change password in /etc/fuel/astute.yaml
>> otherwise it will be impossible for user to run upgrade,
>>
>> 1. upgrade system uses credentials from /etc/fuel/astute.yaml
>> to authenticate in nailgun
>> 2. upgrade system runs puppet to upgrade dockerctl/fuelclient
>> on the host system, puppet uses credentials from /etc/fuel/astute.yaml
>> to update config /etc/fuel/client/config.yaml [1], even if user
>> changed
>> the password in the config for fuelclient, it will be overwritten
>> after upgrade
>>
>> If we don't want to change credentials in /etc/fuel/astute.yaml
>> lets at least add some warning in the documentation.
>>
>> [1]
>> https://github.com/stackforge/fuel-library/blob/705dc089037757ed8c5a25c4cf78df71f9bd33b0/deployment/puppet/nailgun/examples/host-only.pp#L51-L55
>>
>>
>>
>> On Thu, Jul 24, 2014 at 6:17 PM, Lukasz Oles <loles at mirantis.com> wrote:
>>
>>> Hi all,
>>>
>>> one more thing. You do not need to install keystone in your development
>>> environment. By default it runs there in fake mode. Keystone mode is
>>> enabled only on iso. If you want to test it locally you have to install
>>> keystone and configure nailgun as Kamil explained.
>>>
>>> Regards,
>>>
>>>
>>> On Thu, Jul 24, 2014 at 3:57 PM, Mike Scherbakov <
>>> mscherbakov at mirantis.com> wrote:
>>>
>>>> Kamil,
>>>> thank you for the detailed information.
>>>>
>>>> Meg, do we have anything documented about authx yet? I think Kamil's
>>>> email can be used as a source to prepare user and operation guides for Fuel
>>>> 5.1.
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> On Thu, Jul 24, 2014 at 5:45 PM, Kamil Sambor <ksambor at mirantis.com>
>>>> wrote:
>>>>
>>>>> Hi folks,
>>>>>
>>>>> All parts of code related to stage I and II from blueprint
>>>>> http://docs-draft.openstack.org/29/96429/11/gate/gate-fuel-specs-docs/2807f30/doc/build/html/specs/5.1/access-control-master-node.htm
>>>>> <http://docs-draft.openstack.org/29/96429/11/gate/gate-fuel-specs-docs/2807f30/doc/build/html/specs/5.1/access-control-master-node.html> are
>>>>> merged. In result of that, fuel (api and UI) we now have
>>>>> authentication via keystone and now is required as default. Keystone is
>>>>> installed in new container during master installation. We can configure
>>>>> password via fuelmenu during installation (default user:password -
>>>>> admin:admin). Password is saved in astute.yaml, also admin_token is stored
>>>>> here.
>>>>> Almost all endpoints in fuel are protected and they required
>>>>> authentication token. We made exception for few endpoints and they are
>>>>> defined in nailgun/middleware/keystone.py in public_url .
>>>>> Default password can be changed via UI or via fuel-cli. In case of
>>>>> changing password via UI or fuel-cli password is not stored in any file
>>>>> only in keystone, so if you forgot password you can change it using
>>>>> keystone client from master node and admin_token from astute.yaml using
>>>>> command: keystone --os-endpoint=http://10.20.0.2:35357/v2.0 --os-token=admin_token
>>>>> password-update .
>>>>> Fuel client now use for authentication user and passwords which are
>>>>> stored in /etc/fuel/client/config.yaml. Password in this file is not
>>>>> changed during changing via fuel-cli or UI, user must change this password
>>>>> manualy. If user don't want use config file can provide user and password
>>>>> to fuel-cli by flags: --os-username=admin --os-password=test. We added also
>>>>> possibilities to change password via fuel-cli, to do this we should
>>>>> execute: fuel user --change-password --new-pass=new .
>>>>> To run or disable authentication we should change
>>>>> /etc/nailgun/settings.yaml (AUTHENTICATION_METHOD) in nailgun container.
>>>>>
>>>>> Best regards,
>>>>> Kamil S.
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Mike Scherbakov
>>>> #mihgen
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Łukasz Oleś
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Mike Scherbakov
> #mihgen
>
>
--
Łukasz Oleś
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140728/709a6d78/attachment.html>
More information about the OpenStack-dev
mailing list