Extension for retrieving a secure password of an instance

Registered by Vish Ishaya on 2012-11-28

Some guests need a password in order to be used. We need a secure way to generate an encrypted password and let the user retrieve it securely. Although we can do this using the console and an init script[1] it would be much nicer to have support in the api for such a thing.

The high-level goal is:
nova get-password <uuid>
(returns the password for the vm)

The steps involved are:

a) Add a post location to nova-api-metadata that can send encrypted password (should be write once)
b) Add an extension to the api allowing get_password and reset_password (reset simply clears the value
c) Allow an alternative method for xenapi (password could be encrypted and written by nova or guest agent)
d) Work with cloud-init to for it to support generating an encrypted password and posting it
e) Work with hyper-v team to make sure their cloud-init support includes it
f) Add code to python-novaclient for decrypting password

[1] https://gist.github.com/4008762

Blueprint information

Status:
Complete
Approver:
Vish Ishaya
Priority:
Low
Drafter:
Vish Ishaya
Direction:
Approved
Assignee:
Vish Ishaya
Definition:
Approved
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
milestone icon 2013.1
Started by
Thierry Carrez on 2012-12-04
Completed by
Thierry Carrez on 2013-01-08

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/get-password,n,z

Addressed by: https://review.openstack.org/17273
    Add api extension to get and reset password

Addressed by: https://review.openstack.org/17274
    Allows an instance to post encrypted password

Addressed by: https://review.openstack.org/18851
    Allow larger encrypted password posts to metadata

Addressed by: https://review.openstack.org/19514
    Implements getPasswordData for ec2

Addressed by: https://review.openstack.org/19745
    Add encryption and decryption methods for ssh keys

Addressed by: https://review.openstack.org/19746
    Save password set through xen agent.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.