Lightweight authorization for vendor passthru
Keystone PKI token (~5K) cannot be passed to deploy ramdisk via kernel command line (~2K).
Generalized 'deploy_key' can be used as lightweigh key for deployment tasks.
1. Generate deploy_key before deploying.
2. Pass deploy_key to deploy ramdisk.
3. Don't check token for vendor passthru in auth middleware.
4. Check deploy_key in API.
Because vendor passthru may be used not only for deployment tasks authorization possibility by tokens must remains.
Blueprint information
- Status:
- Complete
- Approver:
- aeva black
- Priority:
- Undefined
- Drafter:
- Yuriy Zveryanskyy
- Direction:
- Needs approval
- Assignee:
- Yuriy Zveryanskyy
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- aeva black
Related branches
Related bugs
Sprints
Whiteboard
I don't like allowing a publicly-accessible service to use a weaker key than the current keystone auth token, but I agree that the deploy key must be small (few hundred bytes at most).
I think it would be reasonable to run a private API service. Same python code as the public API, but with a config option to enable the code paths we need internally, such as that for the deploy and discovery ramdisk, for these ramdisks to POST log data back, etc.
What do you think?
-Deva, 2012-11-12
Devananda, I think additional private API service can be as option, like
bool option 'allow_private_api' for API service
and default should be True (no additional service need to be runned, only authorization described in this bp used)
Gerrit topic: https:/
Addressed by: https:/
Allow vendor passthru without Keystone authorization
-------
Discussed and found a solution which does not reduce security of our API service:
https:/
Save PKI token in a file for PXE deploy ramdisk
Marking this blueprint as Obsolete.
--Devananda, 2013-12-10
