Cluster creds management

Registered by Murali Allada on 2016-10-27

We need to allow cluster admins to manage credentials/access to the cluster.

Currently, magnum does not support cluster credential management. This is a problem for cluster admins as they are unable to restrict/deny access to an existing cluster once a user has been granted access.

At the Newton mid-cycle, we discussed two ways to manage cluster creds.

1) Replace cluster certificate.
2) Revoke certificate for a specific user.

These operations will fall under the cluster lifecycle operations umbrella and will leverage the heat software config agent that will be deployed on each cluster node for other operations such as rebuild and restart cluster.

Implementation plan:
---------------------------

This blueprint will be implemented in 2 phases. In the first phase, we'll implement point 1 listed above. This is mainly to provide at least one method of creds management to cluster admins as soon as possible. This operation will replace the cluster certificate and invalidate all user credentials. All users will need to create new certificates to gain access to the cluster again. This allows admins to revoke a users keystone creds (eg. a user has left the company ) and thus deny them access to the cluster.

In phase 2 we'll implement a finer-grained approach to cert revocation. This feature requires magnum to start storing a mapping between a keystone user and the certs they have generated in Magnum. Magnum currently does not have the plumbing required to do so. This will allow admins to list users for each cluster and revoke certs for a specific user. This might require us to contribute to upstream docker/kubernetes/mesos in order to support cert revocation lists. The Docker auth plugin work that's being done currently in Magnum can be leveraged to help with this.

Proposed change
===============
The /clusters api will need to be modified to support the new operation.
See the REST API section below for more details.

Steps needed to replace the cluster cert:
1) Generate a new keystone token and pass it to the cluster node.
     We will use the Heat software config agent to pass this token into the cluster node.
2) Invoke the make-cert.py script and generate a new certificate using the new
   keystone token.
3) Restart Swarm or Kubernetes and configure it to use the new certificate.

REST API impact
---------------
REST API will be added for :

PATCH /clusters/{id}/actions/rotate_cert

A user with "admin" role will be able to call the above operation. A user
with "non-admin" role will be restricted.

Blueprint information

Status:
Not started
Approver:
Adrian Otto
Priority:
Undefined
Drafter:
Murali Allada
Direction:
Approved
Assignee:
Jason Dunsmore
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/revoke-cluster-cert,n,z

Addressed by: https://review.openstack.org/399731
    Add spec for phase 1 of cluster creds management

Addressed by: https://review.openstack.org/408700
    Add an API to revoke a cluster CA certificate

Addressed by: https://review.openstack.org/409251
    Add script and DIB element for Fedora

Gerrit topic: https://review.openstack.org/#q,topic:fedora-image-20170103,n,z

Gerrit topic: https://review.openstack.org/#q,topic:fedora-driver-20170109,n,z

Addressed by: https://review.openstack.org/418571
    Implement cluster CA certificate revocation

Gerrit topic: https://review.openstack.org/#q,topic:bug/1658058,n,z

Addressed by: https://review.openstack.org/447637
    Add "ca-rotate" command to userguide

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.