Add rootwrap to Horizon

Registered by Dan Varga

openstack/oslo-incubator contains a module rootwrap[1] which provides an easy and pluggable interface allowing commands to be run as root. As an openstack_dashboard plugin developer, I would like to be able to use this functionality to execute commands from Horizon using an established and secure method. This would allow me to enhance my dashboards/panels with additional information from the system. Adding rootwrap from oslo to Horizon would give third parties the ability to safely execute commands in a manner which is consistent with other components of openstack (nova, cinder, etc).
[1] https://wiki.openstack.org/wiki/Nova/Rootwrap

Related commit: https://review.openstack.org/#/c/39695/

Blueprint information

Status:
Complete
Approver:
Gabriel Hurley
Priority:
Low
Drafter:
Dan Varga
Direction:
Needs approval
Assignee:
None
Definition:
Obsolete
Series goal:
None
Implementation:
Not started
Milestone target:
None
Completed by
Matthias Runge

Related branches

Sprints

Whiteboard

[2013-08-06 | Gabriel] My initial feeling is that your webserver process should be run in isolation; e.g. there shouldn't be anything you'd want to shell out *to* in the same execution context. Other services ought to be run in their own contexts and have published APIs/endpoints to talk to. That's more or less the guiding principle for Horizon's design. I'm open to hearing use cases for this, but the bar for acceptance will be data sources/services which absolutely *must* be run in the same context as Horizon.

[2013-08-06 | Dan] My use case for rootwrap is to be able to reach down and obtain log files and diagnostic data via the sosreport command. This command must be run as root and does not have a daemon/API. My dashboard plugin makes obtaining this information, and sending it up to support for analysis simple. Rootwrap is incredibly restrictive by default and requires root owned files "filters" be installed for a white list of commands to execute (this list would be supplied by the plugin). More generically a plugin writer at Company X may want to shell out and execute some command as root. Horizon is the likely spot of this type of integration since it is the "face" of OpenStack and the place to expose additional vendor specific UI/Usability enhancements.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.