[RFE] General baremetal node auth and token passing mechanism
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Goals of this proposal are:
1) Improving baremetal node authentication
2) Secure way for passing auth token to node
Define security levels for node auth:
0 - no auth
1 - auth with hardware id (like S/N of bios, hdd etc.)
3 - auth with user pre-share key
This value should be stored in node secure storage.
1) Before deploy user sets some values for node in secure storage via Ironic API,
like this:
{
"hardware_id": sha1(sha1(
"user_key": sha1(sha1(user_key) + node_uuid)
....
"vendor_sn": sha1(sha1(
}
2) Node pass own info via special API method for node
{
"hardware_id": sha1(hardware_id)
"user_key": sha1(sha1(user_key)
....
"vendor_sn": sha1(sha1(
}
3) Ironic compares this data sets, and disallow operation with node if 1 or more keys does not match or too few parameters for defined security level.
4) Ironic uses Keystone OS-OAUTH1 extension for grant temporary access to the API,
(should validate request token from node):
http://
tags: | added: needs-spec |
Depends on bug 1526745