Decrypt and display VM generated password

Registered by Cédric Soulas on 2013-11-14

Use Case

I launch an instance, choosing a Windows image and a pub key:
- on VM boot, Windows generates a random password for the Admin session
- the password is encrypted with the pub key and sent to the metadata server (for example with cloudbase-init)
- I can already retrieve this admin password via API with: nova get-password <VM-id> <Private-key>

Horizon Blueprint: "Being able to display and decrypt this password on Horizon"

- A popup display the encrypted password
- The user has to provide its private key to decrypt this password
- The private key should not transit over the network and being proceeded on the server side
- The private key should be used on the client side (any JS lib available for decryption? Use of HTML 5 FIle API / FileReader?)
- The password may not be available immediately after the launch of the instance (have to wait the VM to boot and generate the password)
- Several ways to provide the private key: copy and past inside an input, "browse > select a file", drag & drop
- Should be inspired by the way Amazon does this (either for the internal client side processing - if it does - and for UX aspects): more details to be sent later

Blueprint information

Status:
Complete
Approver:
David Lyle
Priority:
Medium
Drafter:
Cédric Soulas
Direction:
Needs approval
Assignee:
Ala Rezmerita
Definition:
New
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1
Started by
Cédric Soulas on 2013-12-13
Completed by
David Lyle on 2014-03-08

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/decrypt-and-display-vm-generated-password,n,z

Addressed by: https://review.openstack.org/61032
    Decrypt and display VM generated password

The demos are available here:

Demos:
1. Windows instance : https://storage.fr1.cloudwatt.com/v1/AUTH_935b2726c86e420db2be029f36dd33e0/openstack/demo_window_decrypt_password.mp4
2. Ubuntu instance : https://storage.fr1.cloudwatt.com/v1/AUTH_935b2726c86e420db2be029f36dd33e0/openstack/retrieve_password.mp4

In order to test "Retrieve password" on devstack with Linux instances:
0. Checkout horizon review https://review.openstack.org/#/c/61032/
1. boot an instance
2. once connected on the instance do:
#curl --silent --fail http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > my_ssh_key; ssh-keygen -e -f my_ssh_key -m PKCS8 > my_ssl_key
#PASSWORD=`openssl rand -base64 48 | tr -d '/+' | cut -c1-10`
#ENCRYPTED=`echo "$PASSWORD" | openssl rsautl -encrypt -pubin -inkey my_ssl_key -keyform PEM | openssl base64 -e -A`
#curl -X POST http://169.254.169.254/openstack/2013-04-04/password -d $ENCRYPTED
#curl --silent --fail http://169.254.169.254/openstack/latest/password
3.Use horizon in order to retrieve the password

[jpichon 2014.03.03] Adding missing milestone + assigning correct owner

[jpichon 2014.03.05] Per discussion on #openstack-dev, the patch is close and has seen several round of reviews including from cores and someone from the security team. The Selenium tests can be pulled out and the related issues resolved in a separate patch.

Addressed by: https://review.openstack.org/78334
    Add selenium tests to instance Retrieve Password action

Addressed by: https://review.openstack.org/82079
    Add unit tests to instance Retrieve Password action

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.