Cluster creds management

Registered by Murali Allada

We need to allow cluster admins to manage credentials/access to the cluster.

Currently, magnum does not support cluster credential management. This is a problem for cluster admins as they are unable to restrict/deny access to an existing cluster once a user has been granted access.

At the Newton mid-cycle, we discussed two ways to manage cluster creds.

1) Replace cluster certificate.
2) Revoke certificate for a specific user.

These operations will fall under the cluster lifecycle operations umbrella and will leverage the heat software config agent that will be deployed on each cluster node for other operations such as rebuild and restart cluster.

Implementation plan:

This blueprint will be implemented in 2 phases. In the first phase, we'll implement point 1 listed above. This is mainly to provide at least one method of creds management to cluster admins as soon as possible. This operation will replace the cluster certificate and invalidate all user credentials. All users will need to create new certificates to gain access to the cluster again. This allows admins to revoke a users keystone creds (eg. a user has left the company ) and thus deny them access to the cluster.

In phase 2 we'll implement a finer-grained approach to cert revocation. This feature requires magnum to start storing a mapping between a keystone user and the certs they have generated in Magnum. Magnum currently does not have the plumbing required to do so. This will allow admins to list users for each cluster and revoke certs for a specific user. This might require us to contribute to upstream docker/kubernetes/mesos in order to support cert revocation lists. The Docker auth plugin work that's being done currently in Magnum can be leveraged to help with this.

Proposed change
The /clusters api will need to be modified to support the new operation.
See the REST API section below for more details.

Steps needed to replace the cluster cert:
1) Generate a new keystone token and pass it to the cluster node.
     We will use the Heat software config agent to pass this token into the cluster node.
2) Invoke the script and generate a new certificate using the new
   keystone token.
3) Restart Swarm or Kubernetes and configure it to use the new certificate.

REST API impact
REST API will be added for :

PATCH /clusters/{id}/actions/rotate_cert

A user with "admin" role will be able to call the above operation. A user
with "non-admin" role will be restricted.

Blueprint information

Not started
Adrian Otto
Murali Allada
Jason Dunsmore
Series goal:
Milestone target:

Related branches



Gerrit topic:,topic:bp/revoke-cluster-cert,n,z

Addressed by:
    Add spec for phase 1 of cluster creds management

Addressed by:
    Add an API to revoke a cluster CA certificate

Addressed by:
    Add script and DIB element for Fedora

Gerrit topic:,topic:fedora-image-20170103,n,z

Gerrit topic:,topic:fedora-driver-20170109,n,z

Addressed by:
    Implement cluster CA certificate revocation

Gerrit topic:,topic:bug/1658058,n,z

Addressed by:
    Add "ca-rotate" command to userguide


Work Items

This blueprint contains Public information 
Everyone can see this information.