Fuel master HTTP/SSH access instructions are incomplete

Thanks Moshe. This should be an easy change which would significantly improve UX, so rising it to High priority for 5.1.

One thing to consider is security, it seems that currently Fuel Web is accessible through all interfaces and this may not be desired. From a security perspective Fuel web should only bind to the admin network(admin ip). I understand that this makes it hard to access Fuel Web, but unless there is proper authentication I don't think Fuel web should be exposed on all interfaces.

Looking at the code it seems that currently Fuel Web get's exposed on all interfaces and hence this UX improvement is still valid, we should at least let the user know that currently Fuel web is also accessible through other interfaces else the user may think that he's safe while he is not. (Eg fuel web became accessible on a public interface)

But getting back to the security issue, if currently Fuel web listens on all interfaces I think it may be better to show big warnings that it's also listening on other interfaces and/or make it only listen on admin IP by default, but provide an option to let it listen on more interfaces.

To tackle the accessibility of Fuel from remote I used an SSH tunnel to connect to Fuel instead:
ssh root@publicly-accessible-controller -L 2020:172.16.1.2:8000 # 172.16.1.2 is the admin ip of fuel master

Now you can access Fuel web via localhost:2020 and we provide authentication through SSH.

Disclaimer: I don't know much about security and just started getting into Fuel. So there may be some incorrect information above.

@Sam Stoelinga
In version 5.1 Fuel web and all API calls are password protected.

Limiting API access per interface requires more user interaction and would disrupt many existing users. If you want to lock down your installation, you can add more iptables rules. I've already limited access to RabbitMQ, PostgreSQL, and Cobbler to the admin network only. I can add information about the default login to Fuel API in /etc/issue and in Fuel documentation.

I have already done the modifications needed to fix this bug, also tested
just need to build iso for final testing. You can see the patch here:
https://review.openstack.org/113605
Limiting API access per interface requires more user interaction and
would disrupt many existing users. If you want to lock down your
installation, you can add more iptables rules. I've already limited
access to RabbitMQ, PostgreSQL, and Cobbler to the admin network only. I
can add information about the default login to Fuel API in /etc/issue
and in Fuel documentation.

** Changed in: fuel
     Assignee: Sam Stoelinga (sammiestoel) => Matthew Mosesohn (raytrac3r)

** Changed in: fuel
       Status: In Progress => Confirmed

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1351937

Title:
  Fuel master HTTP/SSH access instructions are incomplete

Status in Fuel: OpenStack installer that works:
  Confirmed

Bug description:
  This is a change request

  After installation completed FUEL prompts to access Fuel WEB from Admin
(PXE) IP only.
  we think that if we have more interfaces it should point out to them too.
  Also default credentials provided for SSH but not for HTTP.
  we think it should be for both

To manage notifications about this bug go to:
https://bugs.launchpad.net/fuel/+bug/1351937/+subscriptions

My previous comment about restricting Fuel UI to admin interface was because I thought that Fuel still didn't have authentication, but this was added in 5.1 so that comment can be ignored.

@Matthew: Can you re-assign to me as the bug is already as good as fixed? I can also re-assign myself but thought there may be a reason that you assigned the bug to yourself.

Sam, the bug is back to you. I didn't realize you started a patch. It looks like Gerrit didn't update the bug with your patch link (bad gerrit!)

Your solution is nearly perfect, but it will not correctly update Fuel IP address when you make networking changes in Fuel Setup later. I left a comment.

Sam, thanks for working on this. Feel free to ping people in IRC #fuel-dev to get your code reviewed (mattymo, bogdando, alex_didenko, aglarendil and other - MSK timezone; xarses, angdraug, rmoe and other - US)

waiting on reviews

Reviewed: https://review.openstack.org/113605
Committed: https://git.openstack.org/cgit/stackforge/fuel-main/commit/?id=d737559bb75dd6f84a9eae40158544c61faf91d1
Submitter: Jenkins
Branch: master

commit d737559bb75dd6f84a9eae40158544c61faf91d1
Author: Sam Stoelinga <email address hidden>
Date: Wed Aug 13 22:02:20 2014 +0800

    Add improved SSH/Fuel web instructions

    - List all the IP address on which Fuel UI is
      accessible instead of only eth0.
    - Also added default username and password
      for Fuel UI, hardcoded as admin/admin
    - Removes duplicate code from
      bootstrap_admin_node scripts which was
      previously causing the sed line to
      appear twice in /etc/rc.local

    Closes-Bug: #1351937

    Change-Id: Ib0605c298c6ef26e8cdceb07171b76cee96ae3f8