General baremetal node auth and token passing mechanism
Goals of this bp are:
1) Improving baremetal node authentication
2) Secure way for passing auth token to node
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Medium
- Drafter:
- Yuriy Zveryanskyy
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Discussion
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Bug #1526748: [RFE] General baremetal node auth and token passing mechanism | Fix Released |
Sprints
Whiteboard
Define security levels for node auth:
0 - no auth
1 - auth with hardware id (like S/N of bios, hdd etc.)
3 - auth with user pre-share key
This value should be stored in node secure storage.
1) Before deploy user sets some values for node in secure storage via Ironic API,
like this:
{
"hardware_id": sha1(sha1(
"user_key": sha1(sha1(user_key) + node_uuid)
....
"vendor_sn": sha1(sha1(
}
2) Node pass own info via special API method for node
{
"hardware_id": sha1(hardware_id)
"user_key": sha1(sha1(user_key)
....
"vendor_sn": sha1(sha1(
}
3) Ironic compares this data sets, and disallow operation with node if 1 or more keys does not match or too few parameters for defined security level.
4) Ironic uses Keystone OS-OAUTH1 extension for grant temporary access to the API,
(should validate request token from node):
http://
Gerrit topic: https:/
Addressed by: https:/
Do not save auth token on TFTP serfer in PXE driver
Yuriy, is there a spec for this?
// jroll 2015-10-15
We're moving from using blueprints to track features to RFE bugs. I've filed one for your change (see related bugs section). Please track further work there using Closes-Bug, Partial-Bug or Related-Bug in commit messages and use this newly created RFE bug.
//vdrok 2015-12-16
Work Items
Dependency tree
* Blueprints in grey have been implemented.