Create bootstrap user and project only via SQLAlchemy models
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
craton |
Fix Released
|
Critical
|
Sulochan Acharya |
Bug Description
Currently we construct the bootstrap user and project via direct MySQL
in docker_run.sh
(https:/
not supporting other databases, this construction has a variety of problems:
1. docker_run.sh is not for production usage; but it is the only
source of "documentation" for how these bootstrap objects are
created. This means that deployers need to constantly synchronize
with any changes.
2. One particular aspect of docker_run.sh that's not for production:
the api_key for the default user (`bootstrap`) is currently
hard-coded for dev/test purposes only, namely `bootstrap`. This
convention is there to ensure it's seen as a CHANGEME, but it looks
bad. Nowhere else in our codebase do we hardcode such values. We
need to be able to generate cryptographically strong credentials
instead (as seen with
https:/
3. Construction of objects using our SQLAlchemy models are guaranteed
to respect those models. Otherwise we run into this recurring
problem, reported repeatedly by both us and our users:
https:/
because it's so much a bug seen at a distance - as can be expected
with a failing mismatch of model to underlying schema.)
The solution is straightforward (see for example the changes in
https:/
they simply need to be exposed by an appropriate command and
corresponding workflow.
One possibility:
$ craton-dbsync bootstrap [--username $USERNAME] [--projectname $PROJECTNAME]
The --username and --projectname options default to "bootstrap" respectively. The output of this command will be the following lines of output, suitable for being eval'ed:
OS_PROJECT_ID=...
OS_USERNAME=...
OS_PASSWORD=...
Other output formats may be chosen, namely JSON, but the above format should facilitate usage in scripting to construct the desired initial users/projects via the REST API, including any RBAC, variables, etc.
If the desired bootstrap username/project name already exists, then the existing credentials for it are returned. Note that Craton is not a secure secrets store! Access to dbsync implies that full database access is available.
Changed in craton: | |
milestone: | none → v0.1.0 |
importance: | Undecided → Critical |
Changed in craton: | |
assignee: | nobody → Sulochan Acharya (sulochan-acharya) |
Fix proposed to branch: master /review. openstack. org/443170
Review: https:/