Domain isolated users for in-instance credentials

Registered by Steven Hardy

Currently we create a new keystone user for every WaitConditionHandle resource, and every User/AccessKey resource, in the same tenant/project as the stack owning user.

We need to remove the requirement to be a keystone admin (which is required to create the users)
while still providing users who are not directly associated with the stack owning user (to limit the impact in the event of a compromised instance), so create these users in a separate heat specific
domain (as the heat service user). This still provides the necessary isolation but avoids the requirement to create users in the real user domain.

This could also provide a solution to the requirement for ec2 signed requests (which we don't want for native resources), e.g initially by deploying the username and a randomly generated password and in future maybe x509 certificates.

Blueprint information

Status:
Complete
Approver:
Steve Baker
Priority:
High
Drafter:
Steven Hardy
Direction:
Approved
Assignee:
Steven Hardy
Definition:
Approved
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1
Started by
Steven Hardy
Completed by
Steven Hardy

Related branches

Whiteboard

bug #1242597 now fixed so this is un-blocked and in-progress again :)

Gerrit topic: https://review.openstack.org/#q,topic:bp/instance-users,n,z

Addressed by: https://review.openstack.org/62436
    Correct create_trust_context docstring

Addressed by: https://review.openstack.org/62437
    Add sanity check to ensure user_id can be trusted

Addressed by: https://review.openstack.org/62438
    Convert stored trust_id to service_trust_id

Addressed by: https://review.openstack.org/62439
    Add initial support for instance_auth_method

Addressed by: https://review.openstack.org/62440
    SignalResponder store access/secret in resource data

Addressed by: https://review.openstack.org/62441
    heat_keystoneclient revise get_ec2_keypair

Gerrit topic: https://review.openstack.org/#q,topic:bug/1262177,n,z

Addressed by: https://review.openstack.org/63829
    Store AccessKey secret_key in resource data

Moving to solution (2) in the wiki, creating the instance users in a separate domain, which means this BP now depends on keystone-v3-only (need domain-aware interface for creating the instance users)

(shardy): Updated title and summary description based on revised direction detailed in wiki. keystone-v3-only now completed (awaiting review) so this can proceed again now.

Addressed by: https://review.openstack.org/69568
    heat_keystoneclient ensure admin client respects SSL options

Addressed by: https://review.openstack.org/69569
    heat_keystoneclient: Move v3 path logic to constructor

Addressed by: https://review.openstack.org/69570
    heat_keystoneclient: abstract admin_client to a property

Addressed by: https://review.openstack.org/67531
    heat_keystoneclient convert get_ec2_keypair to v3 API

Addressed by: https://review.openstack.org/67534
    Purge remaining heat_keystoneclient v2 code

Addressed by: https://review.openstack.org/67532
    heat_keystoneclient convert delete_ec2_keypair to v3 API

Addressed by: https://review.openstack.org/67533
    Fix user and signal responder exception import

Addressed by: https://review.openstack.org/69890
    Add new stack_user_domain config option

Addressed by: https://review.openstack.org/69891
    heat_keystoneclient add support for stack domain projects

Addressed by: https://review.openstack.org/69892
    Create stack user domain project for each new stack

Addressed by: https://review.openstack.org/71300
    engine: allow stack_user_project users to retrieve stack

Addressed by: https://review.openstack.org/71210
    Migrate SignalResponder to StackUser base class

Addressed by: https://review.openstack.org/71208
    heat_keystoneclient add create_stack_domain_user_keypair

Addressed by: https://review.openstack.org/71209
    Add StackUser common base class

Addressed by: https://review.openstack.org/71206
    heat_keystoneclient add create_stack_domain_user function

Addressed by: https://review.openstack.org/71207
    heat_keystoneclient add delete_stack_domain_user function

Addressed by: https://review.openstack.org/71205
    Add parser.Stack support for stack_domain_projects

Addressed by: https://review.openstack.org/71414
    heat_keystoneclient add support to enable/disable domain users

Addressed by: https://review.openstack.org/71928
    heat_keystoneclient raise error if stack user role missing

Addressed by: https://review.openstack.org/71929
    heat_keystoneclient add delete_stack_domain_user_keypair

Addressed by: https://review.openstack.org/71930
    StackUser add suspend/resume support

Gerrit topic: https://review.openstack.org/#q,topic:bug/1089261,n,z

Addressed by: https://review.openstack.org/72761
    Add test for StackUser._create_keypair

Addressed by: https://review.openstack.org/72762
    StackUser add _delete_keypair function

Addressed by: https://review.openstack.org/72763
    migrate User/AccessKey resources to StackUser base class

Addressed by: https://review.openstack.org/73978
    Modify stack_user_domain config option to take domain ID

Addressed by: https://review.openstack.org/76035
    Add config options to specify stack domain admin

Gerrit topic: https://review.openstack.org/#q,topic:bp/hot-software-config,n,z

Addressed by: https://review.openstack.org/80868
    Store stack domain credentials for deployments

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.