[openstack-dev] [Fuel] Additional user account in the OpenStack for fetching OpenStack workloads
Andrew Woodward
xarses at gmail.com
Thu Feb 19 17:04:18 UTC 2015
We should assume that the admin credentials are already invalid. We have
some possible options that I can think of
Create an additional user. The risk here is that it will be deleted,
disabled or re-keyed as the same with admin.
Use the existing service accounts (nova, neutron, keystone, cinder) (this
is the plan for removing deps on ~/openrc)
> The questions are:
>
> 1. Is anybody have feature, which also requires additional OpenStack
> user?
>
> moving from admin / openrc back to service accounts
>
> 1. We need only readonly access for fetching workloads. But if anybody
> want to use this user for other tasks, we can grant required rights to the
> user. Should we create user with full access or restrict them to readonly
> access?
>
> read only would be preferred, we should have the least amount of access
possible to complete the snooping. It reduces attack surfaces
>
> 1. Is the credentials of user should be the same for all environments?
>
> I would attempt to keep them unique per env
>
> 1. Where the best place for storing credentials of the user? DB or
> yaml?
>
> It will have to be sent to the yaml in order to get the deployment task to
create it, but you will also want to store it in the db.
>
> 1. Should we have UI for changing credentials?
>
> Yes, we should probably be able to change the credential, however I could
see it being postponed untill 7.0
>
> 1. May be we should use 'admin' user credentials and just notify in
> the UI if credentials are not valid and we can't collect workloads?
>
> We can and should consider the admin credentials invalid and should not
use them
Please, share your thoughts.
>
On Tue, Feb 10, 2015 at 3:02 AM, Alexander Kislitsky <
akislitsky at mirantis.com> wrote:
> Folks,
>
> We are collecting OpenStack workloads stats. For authentication in the
> keystone we are using admin user credentials from Nailgun. Credentials can
> be changed directly in the OpenStack and we will loose possibility of
> fetching information.
>
> This issue can be fixed by creation additional user account:
>
> 1. I propose to generate additional user credentials after master node
> is installed and store it into master_node_settings table in the Nailgun.
> 2. Add abstraction layer into
> https://github.com/stackforge/fuel-web/blob/master/nailgun/nailgun/statistics/utils.py#L47
> for creating additional user in the OpenStack if it isn't exists.
>
> But this additional user can be useful for other purposes and may be we
> should save credentials in other place (settings.yaml for example). And may
> be creation of the additional user should be implemented outside of stats
> collecting feature and may be outside of Nailgun.
>
> Please share your thoughts on this.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Andrew
Mirantis
Fuel community ambassador
Ceph community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150219/b5b6afe3/attachment.html>
More information about the OpenStack-dev
mailing list