Fuel-managed OpenStack nodes should be accessible using a non-root account only

Registered by Omar Rivera on 2015-11-09

As an OpenStack administrator using Fuel, I want to access the slave node using a non-superuser account. Many enterprise security policies prohibit the use of the root account on any node.

* Remote root SSH access to the slave nodes should be disabled (i.e. PermitRootLogin no)
* User should be able to specify the account name

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Omar Rivera
Direction:
Needs approval
Assignee:
Dmitry Nikishov
Definition:
Approved
Series goal:
Proposed for mitaka
Implementation:
Unknown
Milestone target:
milestone icon 9.0

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp-fuel-nonsuperuser,n,z

Addressed by: https://review.openstack.org/243340
    Run Fuel slave nodes as non-root

Addressed by: https://review.openstack.org/258185
    Added OS user account settings to provisioning serializers

Addressed by: https://review.openstack.org/258200
    Create non-root user account during image build process

Addressed by: https://review.openstack.org/258671
    Create additional openrc for a non-root account

Addressed by: https://review.openstack.org/272601
    Introduced versioned cloud_config templates

Addressed by: https://review.openstack.org/257618
    Added OS user account settings to openstack.yaml

Addressed by: https://review.openstack.org/278953
    Changed ceph manifests to work without root SSH

Addressed by: https://review.openstack.org/278954
    Added $root_login to osnailyfacter::ssh

Addressed by: https://review.openstack.org/280143
    Moved SSH credentials to config templates

Addressed by: https://review.openstack.org/280151
    Added separate master/slave node credentials to templates

Addressed by: https://review.openstack.org/280202
    Added ProvisioningSerializer90

Addressed by: https://review.openstack.org/281262
    Allowed to pass SSH credentials as parameters

Addressed by: https://review.openstack.org/281776
    Separated Fuel and Slave nodes credentials

Addressed by: https://review.openstack.org/281865
    Allowed to pass SSH credentials as parameters

Gerrit topic: https://review.openstack.org/#q,topic:280202,n,z

Addressed by: https://review.openstack.org/284599
    Added ssh-user parameter to dump configuration

Addressed by: https://review.openstack.org/284682
    Use "ssh-user" parameter from Nailgun for SSH connections

Addressed by: https://review.openstack.org/285299
    Use non-root account when connecting to slave nodes.

Addressed by: https://review.openstack.org/286125
    Added UserAccount object

Addressed by: https://review.openstack.org/286481
    Moved root and service user passwords to editable attributes

Addressed by: https://review.openstack.org/286487
    Moved root and service user passwords to editable attributes

Gerrit topic: https://review.openstack.org/#q,topic:porting/fuel-nonroot-openstack-nodes,n,z

Addressed by: https://review.openstack.org/306419
    Allowed to pass SSH credentials as parameters

Addressed by: https://review.openstack.org/323508
    Pass sudo parameter to shotgun

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.