Fuel for OpenStack

Change access restrictions for OSWL collector service user

Bug #1435827 reported by Artem Roma on 2015-03-24

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Confirmed	High	Fuel Sustaining	Fuel for OpenStack 10.0
6.1.x	Won't Fix	Wishlist	Fuel Library (Deprecated)	Fuel for OpenStack 6.1-updates
7.0.x	Won't Fix	High	Fuel Library (Deprecated)	Fuel for OpenStack 7.0
8.0.x	Won't Fix	High	Fuel Library (Deprecated)	Fuel for OpenStack 8.0
Mitaka	Won't Fix	High	Fuel Library (Deprecated)	Fuel for OpenStack 9.0

Bug Description

Now for collecting of OSWL separate OpenStack user is used. It has admin privileges in order to get info on all resources (for example, access to volumes and instances is provided only to users of tenant in which those resources has been created and admin tenant). But having additional user with power of "all-mighty-admin" could be a source of many security threats for the OpenStack cluster. Also there is possibility that cloud operator may accidentally delete the user in case he/she is not aware of the statistics feature and in that case OSWL info will be lost as is dependent on described way of authorization for collectors.

With all that being said we should lower access privileges of the OSWL user to grant it only read access but for all possible entities, for which we collect information, which so far are:
- vm instances
- volumes
- images
- flavors
- keystone tenants
- keystone users

Tags:

Stanislaw Bogatkin (sbogatkin) on 2015-03-24

Changed in fuel:
status:	New → Confirmed

Vladimir Kuklin (vkuklin) on 2015-03-27

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Bartlomiej Piotrowski (bpiotrowski)

Revision history for this message

Alexander Kislitsky (akislitsky) wrote on 2015-03-27:

An example for policy: http://paste.openstack.org/show/197018/ (thanks to Tatyanka)

Stanislaw Bogatkin (sbogatkin) on 2015-03-30

Changed in fuel:
status:	Confirmed → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-08: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/171561

Changed in fuel:
status:	Triaged → In Progress

Bartłomiej Piotrowski (bpiotrowski) on 2015-04-12

Changed in fuel:
assignee:	Bartlomiej Piotrowski (bpiotrowski) → Fuel Library Team (fuel-library)
status:	In Progress → Confirmed
status:	Confirmed → Triaged

Alexander Kislitsky (akislitsky) on 2015-04-16

tags:

added: feature-stats
removed: stats

Vladimir Kuklin (vkuklin) on 2015-04-24

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)

Revision history for this message

Stanislaw Bogatkin (sbogatkin) wrote on 2015-04-29:

Seems that it is a little problematic to fix this bug in current release due to the fact that:

1. We need to create read-only oswl role in keystone and add workload user to it.
2. Need to change all according policies for all services that oswl use
3. I start digging from keystone. For keystone we need:
4. Move from v2 API to v3 due to the fact that keystone v2 API doesn't use policy file for RBAC and use admin user only [1]. It seems to be true everywhere (for RH, for example: [2])
5. If we move to API v3 then we cannot use cli part of python-keystoneclient (see [3]). It is bad for user expirience. I suppose, that it is done due to:
6. All cli parts from python-*client utilities slowly move to OpenStackClient (OSC) [4]. But OSC doesn't support part of functionality from old clients (for example, see neutron part from [5]). We cannot use python-neutronclient and OSC simultaneously, cause python-neutronclient doesn't support auth by keystone v3 API. I found some articles that said than if we will expose keystone api in format http://ip:port/ instead of http://ip:port/v2.0 or http://ip:port/v3 then newer clients will choose keystone API version that they support. Alas, our current clients cannot do this (and try to test every newest client for every service to create one read-only user will get too much time).

So, I move this bug to next release due to this huge amount of work that should be done to fix it now properly.

[1] https://bugs.launchpad.net/keystone/+bug/1350879
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1125333
[3] https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/shell.py#L402-L412
[4] http://docs.openstack.org/developer/python-openstackclient/
[5] https://wiki.openstack.org/wiki/OpenStackClient/Commands

Changed in fuel:
importance:	High → Wishlist
status:	Triaged → Won't Fix

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-12: Change abandoned on fuel-library (master)

Change abandoned by Bartłomiej Piotrowski (<email address hidden>) on branch: master
Review: https://review.openstack.org/171561

Revision history for this message

Aleksandr Didenko (adidenko) wrote on 2015-08-05:

Moved to 8.0, confirmed with developers and QA

Nastya Urlapova (aurlapova) on 2015-08-10

tags:

added: qa-agree-8.0

Dmitry Pyzhov (dpyzhov) on 2015-09-17

tags:

added: feature

Dmitry Pyzhov (dpyzhov) on 2015-10-12

Changed in fuel:
assignee:	Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)
milestone:	6.1 → 8.0
status:	Won't Fix → Triaged
no longer affects:	fuel/8.0.x

Dmitry Pyzhov (dpyzhov) on 2015-10-22

tags:

added: area-library

Fuel Devops McRobotson (fuel-devops-robot) on 2015-12-30

Changed in fuel:
milestone:	8.0 → 9.0
status:	Triaged → New

Bogdan Dobrelya (bogdando) on 2015-12-30

no longer affects:

fuel/future

Artem Roma (aroma-x) on 2016-01-04

Changed in fuel:
status:	New → Confirmed

Revision history for this message

Bug Checker Bot (esikachev-l) wrote on 2016-03-21: Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

expected result

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug