Change access restrictions for OSWL collector service user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Fuel for OpenStack |
High
|
Fuel Sustaining | ||
| 6.1.x |
Wishlist
|
Fuel Library (Deprecated) | ||
| 7.0.x |
High
|
Fuel Library (Deprecated) | ||
| 8.0.x |
High
|
Fuel Library (Deprecated) | ||
| Mitaka |
High
|
Fuel Library (Deprecated) |
Bug Description
Now for collecting of OSWL separate OpenStack user is used. It has admin privileges in order to get info on all resources (for example, access to volumes and instances is provided only to users of tenant in which those resources has been created and admin tenant). But having additional user with power of "all-mighty-admin" could be a source of many security threats for the OpenStack cluster. Also there is possibility that cloud operator may accidentally delete the user in case he/she is not aware of the statistics feature and in that case OSWL info will be lost as is dependent on described way of authorization for collectors.
With all that being said we should lower access privileges of the OSWL user to grant it only read access but for all possible entities, for which we collect information, which so far are:
- vm instances
- volumes
- images
- flavors
- keystone tenants
- keystone users
Changed in fuel: | |
status: | New → Confirmed |
Changed in fuel: | |
assignee: | Fuel Library Team (fuel-library) → Bartlomiej Piotrowski (bpiotrowski) |
Alexander Kislitsky (akislitsky) wrote : | #1 |
Changed in fuel: | |
status: | Confirmed → Triaged |
Fix proposed to branch: master
Review: https:/
Changed in fuel: | |
status: | Triaged → In Progress |
Changed in fuel: | |
assignee: | Bartlomiej Piotrowski (bpiotrowski) → Fuel Library Team (fuel-library) |
status: | In Progress → Confirmed |
status: | Confirmed → Triaged |
tags: |
added: feature-stats removed: stats |
Changed in fuel: | |
assignee: | Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin) |
Stanislaw Bogatkin (sbogatkin) wrote : | #3 |
Seems that it is a little problematic to fix this bug in current release due to the fact that:
1. We need to create read-only oswl role in keystone and add workload user to it.
2. Need to change all according policies for all services that oswl use
3. I start digging from keystone. For keystone we need:
4. Move from v2 API to v3 due to the fact that keystone v2 API doesn't use policy file for RBAC and use admin user only [1]. It seems to be true everywhere (for RH, for example: [2])
5. If we move to API v3 then we cannot use cli part of python-
6. All cli parts from python-*client utilities slowly move to OpenStackClient (OSC) [4]. But OSC doesn't support part of functionality from old clients (for example, see neutron part from [5]). We cannot use python-
So, I move this bug to next release due to this huge amount of work that should be done to fix it now properly.
[1] https:/
[2] https:/
[3] https:/
[4] http://
[5] https:/
Changed in fuel: | |
importance: | High → Wishlist |
status: | Triaged → Won't Fix |
Change abandoned by Bartłomiej Piotrowski (<email address hidden>) on branch: master
Review: https:/
Aleksandr Didenko (adidenko) wrote : | #5 |
Moved to 8.0, confirmed with developers and QA
tags: | added: qa-agree-8.0 |
tags: | added: feature |
Changed in fuel: | |
assignee: | Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library) |
milestone: | 6.1 → 8.0 |
status: | Won't Fix → Triaged |
no longer affects: | fuel/8.0.x |
tags: | added: area-library |
Changed in fuel: | |
milestone: | 8.0 → 9.0 |
status: | Triaged → New |
no longer affects: | fuel/future |
Changed in fuel: | |
status: | New → Confirmed |
(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:
actual result
version
expected result
steps to reproduce
For more detailed information on the contents of each of the listed sections see https:/
tags: | added: need-info |
tags: | removed: need-info |
Changed in fuel: | |
milestone: | 9.0 → 10.0 |
Dmitry Pyzhov (dpyzhov) wrote : | #7 |
This is a feature request. Removing from the Mitaka release because we don't backport patches of this kind.
Changed in fuel: | |
assignee: | Fuel Library (Deprecated) (fuel-library) → Fuel Sustaining (fuel-sustaining-team) |
An example for policy: http:// paste.openstack .org/show/ 197018/ (thanks to Tatyanka)