[openstack-dev] [Ironic][Keystone] Move drivers credentials to Keystone

Eoghan Glynn eglynn at redhat.com
Tue Mar 25 12:56:33 UTC 2014

> Hi,
> Right now Ironic is being responsible for storing the credentials for the
> IPMI and SSH drivers (and potentially other drivers in the future), I wonder
> if we should delegate this task to Keystone. The Keystone V3 API now has a
> /credentials endpoint which would allow us to specify arbitrary types (not
> only ec2 anymore) and use it as a credential store[1].
> That would avoid further fragmentation of credentials being stored in
> different places in OpenStack, and make the management of the credentials
> easier (Think about a situation where many nodes share the same IPMI
> username/password and we need to update it, if this is stored in Keystone it
> only needs to be updated there once cause nodes will only hold a reference
> to it)
> It also was pointed to me that setting a hard dependency on Keystone V3 might
> significantly raises the bar for integration with existing clouds*. So
> perhaps we should make it optional? In the same way we can specify a
> username/password or key_filename for the ssh driver we could have a
> reference to a credential in Keystone V3?
> What you guys think about the idea?

Hi Lucas,

At a high level, this sounds like an excellent idea to me.

IIUC the major blocker to ceilometer taking point on controlling the
IPMI polling cycle has been secure access to these credentials. If these
were available to ceilometer in a controlled way via keystone, then the
IPMI polling cycle could be managed in a very similar way to the ceilo
polling activity on the hypervisor and SMNP daemons.

However, I'm a little fuzzy on the detail of enabling this via keystone
v3, so it would be great to drill down into the detail either on the ML
or at summit. 

For example, would it be in the guise of a trust that delegates limited
privilege to allow the ceilometer user call GET /credentials to retrieve
the IPMI user/pass?

Or would the project_id parameter to POST /credentials suffice to limit
access to IPMI credentials to the ceilometer tenant only? (as opposed to
allowing any other openstack service access these creds)

In that case, would we need to also decouple the ceilometer user from
the generic service tenant?


> What are the cloud operators/sysadmins
> view on that?
> * There's also some ongoing thoughts about using v3 for other things in
> Ironic (e.g signed url's) but that's kinda out of the topic.
> [1]
> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#create-credential-post-credentials
> Ironic bp (discussion):
> https://blueprints.launchpad.net/ironic/+spec/credentials-keystone-v3
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list