ability to add new keystone users on fuel master using plugin task
Right now, it is not possible to register new users/roles in keystone database on the fuel master during plugin deployment without knowing fuel admin credentials.
Why?
For security reasons, we don't keep fuel admin password in cleartext on the system (right, /root/.
We don't rely on keystone admin token because it can be disabled and deploy will fail.
We don't want to ask user to enter fuel admin password somewhere during install to register new nailgun users/roles, because we are already administrators on the fuel master and should be able to register new users/roles
How we workaround it right now
We use root -> su - postgres -> insert user/roles into database and so on.
What's wrong with that?
we don't use API
Why do we need this.
We need to register _new_ keystone user without user interruption. Automate our tasks, that depends on nailgun API
Proposal.
Simply allow to run (binded to local socket, accessible only by root) permissive keystone api daemon (every local anonymous call to it will gain admin permissions), so it will be possible to register new users using native API
Hiera values for new environment are stored in the database, so we are able to read pregenerated password for our user.
This password will be random for each deploy
This password will be sent to other nodes in astute.yaml, so other nodes will be able to use that credentials to call nailgun API
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Dmitriy Stremkovskiy
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Dmitriy Stremkovskiy