Enforce access control for Fuel Master node

Registered by David J. Easter

Problem:
    Currently, there is no enforced access control to the Fuel UI. In other words, anyone can connect to the URL and perform any actions.

Needed solution:
    Access control needs to be implemented so that individuals are challenged for credentials when they try to access the Fuel master node.

Feature Lead: assignee of this blueprint
Mandatory Design Reviewers: Mike Scherbakov, Stas Bogatkin, Evgeny Li, Vladimir Kuklin
Developers: Lukasz Oles, Kamil Sambor, Matt Mosesohn
QA: Andrey Sledzinskiy

Blueprint information

Status:
Complete
Approver:
David J. Easter
Priority:
Essential
Drafter:
David J. Easter
Direction:
Approved
Assignee:
Łukasz Oleś
Definition:
Approved
Series goal:
Accepted for 5.1.x
Implementation:
Implemented
Milestone target:
milestone icon 5.1
Started by
Łukasz Oleś
Completed by
Vladimir Kuklin

Related branches

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/access-control-master-node,n,z

Addressed by: https://review.openstack.org/96429
    Blueprint: access-control-master-node

Addressed by: https://review.openstack.org/98814
    Add Fuel user to fuelmenu

Gerrit topic: https://review.openstack.org/#q,topic:bp/secure-fuel-master-services,n,z

Addressed by: https://review.openstack.org/101240
    Add hidden service passwords module to fuelmenu

Addressed by: https://review.openstack.org/101257
    Add master node service passwords from yaml

Addressed by: https://review.openstack.org/102043
    Add keystone container

Addressed by: https://review.openstack.org/102045
    Add keystone container

Addressed by: https://review.openstack.org/102357
    Set default password for admin user

Addressed by: https://review.openstack.org/102501
    Add default password for admin user

Addressed by: https://review.openstack.org/102795
    Add authentication in fuel-cli

Gerrit topic: https://review.openstack.org/#q,topic:ostf_refactoring,n,z

Addressed by: https://review.openstack.org/103055
    Add keystone access support to ostf wsgi

Addressed by: https://review.openstack.org/103192
    Authorization support

Addressed by: https://review.openstack.org/103554
    Added nailgun client role

Addressed by: https://review.openstack.org/103673
    Add keystone proxy to nginx

Addressed by: https://review.openstack.org/103814
    Generate keystone admin token

Addressed by: https://review.openstack.org/103826
    Keystone configuration changes:

Addressed by: https://review.openstack.org/103838
    Add keystone access to astute.yaml for builds

Addressed by: https://review.openstack.org/103897
    Add keystone support for OSTF

Addressed by: https://review.openstack.org/104080
    Add keystone authentication to ostf client

Addressed by: https://review.openstack.org/104104
    Nailgun depends on keystone-client

Addressed by: https://review.openstack.org/104119
    Token passthrough for nailgun client in ostf

Addressed by: https://review.openstack.org/104131
    Add auth support nailgun client

Addressed by: https://review.openstack.org/104151
    Generate keystone admin for save only in fuelmenu

Addressed by: https://review.openstack.org/104168
    Fuel-cli depends on keystone-client

Addressed by: https://review.openstack.org/104903
    Fake Keystone

Addressed by: https://review.openstack.org/97555
    Keystone Authorization for UI

Addressed by: https://review.openstack.org/105113
    Add unit tests for nailgun keystone middleware

Addressed by: https://review.openstack.org/105213
    Install keystone during system upgrade

Addressed by: https://review.openstack.org/105683
    Change password feature in UI

Addressed by: https://review.openstack.org/105767
    Added possibilities to change user password via fuel-cli

Addressed by: https://review.openstack.org/106715
    Turned on authentication

Addressed by: https://review.openstack.org/107342
    Exclude possibility of installing pecan 0.6 inside ostf container

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.