Domain isolated users for in-instance credentials
Currently we create a new keystone user for every WaitConditionHandle resource, and every User/AccessKey resource, in the same tenant/project as the stack owning user.
We need to remove the requirement to be a keystone admin (which is required to create the users)
while still providing users who are not directly associated with the stack owning user (to limit the impact in the event of a compromised instance), so create these users in a separate heat specific
domain (as the heat service user). This still provides the necessary isolation but avoids the requirement to create users in the real user domain.
This could also provide a solution to the requirement for ec2 signed requests (which we don't want for native resources), e.g initially by deploying the username and a randomly generated password and in future maybe x509 certificates.
Blueprint information
- Status:
- Complete
- Approver:
- Steve Baker
- Priority:
- High
- Drafter:
- Steven Hardy
- Direction:
- Approved
- Assignee:
- Steven Hardy
- Definition:
- Approved
- Series goal:
- Accepted for icehouse
- Implementation:
-
Implemented
- Milestone target:
-
2014.1
- Started by
- Steven Hardy
- Completed by
- Steven Hardy
Related branches
Whiteboard
bug #1242597 now fixed so this is un-blocked and in-progress again :)
Gerrit topic: https:/
Addressed by: https:/
Correct create_
Addressed by: https:/
Add sanity check to ensure user_id can be trusted
Addressed by: https:/
Convert stored trust_id to service_trust_id
Addressed by: https:/
Add initial support for instance_
Addressed by: https:/
SignalResponder store access/secret in resource data
Addressed by: https:/
heat_
Gerrit topic: https:/
Addressed by: https:/
Store AccessKey secret_key in resource data
Moving to solution (2) in the wiki, creating the instance users in a separate domain, which means this BP now depends on keystone-v3-only (need domain-aware interface for creating the instance users)
(shardy): Updated title and summary description based on revised direction detailed in wiki. keystone-v3-only now completed (awaiting review) so this can proceed again now.
Addressed by: https:/
heat_
Addressed by: https:/
heat_
Addressed by: https:/
heat_
Addressed by: https:/
heat_
Addressed by: https:/
Purge remaining heat_keystoneclient v2 code
Addressed by: https:/
heat_
Addressed by: https:/
Fix user and signal responder exception import
Addressed by: https:/
Add new stack_user_domain config option
Addressed by: https:/
heat_
Addressed by: https:/
Create stack user domain project for each new stack
Addressed by: https:/
engine: allow stack_user_project users to retrieve stack
Addressed by: https:/
Migrate SignalResponder to StackUser base class
Addressed by: https:/
heat_
Addressed by: https:/
Add StackUser common base class
Addressed by: https:/
heat_
Addressed by: https:/
heat_
Addressed by: https:/
Add parser.Stack support for stack_domain_
Addressed by: https:/
heat_
Addressed by: https:/
heat_
Addressed by: https:/
heat_
Addressed by: https:/
StackUser add suspend/resume support
Gerrit topic: https:/
Addressed by: https:/
Add test for StackUser.
Addressed by: https:/
StackUser add _delete_keypair function
Addressed by: https:/
migrate User/AccessKey resources to StackUser base class
Addressed by: https:/
Modify stack_user_domain config option to take domain ID
Addressed by: https:/
Add config options to specify stack domain admin
Gerrit topic: https:/
Addressed by: https:/
Store stack domain credentials for deployments
Work Items
Dependency tree
* Blueprints in grey have been implemented.
