Change access restrictions for OSWL collector service user

Bug #1435827 reported by Artem Roma on 2015-03-24
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
High
Fuel Sustaining
6.1.x
Wishlist
Fuel Library (Deprecated)
7.0.x
High
Fuel Library (Deprecated)
8.0.x
High
Fuel Library (Deprecated)
Mitaka
High
Fuel Library (Deprecated)

Bug Description

Now for collecting of OSWL separate OpenStack user is used. It has admin privileges in order to get info on all resources (for example, access to volumes and instances is provided only to users of tenant in which those resources has been created and admin tenant). But having additional user with power of "all-mighty-admin" could be a source of many security threats for the OpenStack cluster. Also there is possibility that cloud operator may accidentally delete the user in case he/she is not aware of the statistics feature and in that case OSWL info will be lost as is dependent on described way of authorization for collectors.

With all that being said we should lower access privileges of the OSWL user to grant it only read access but for all possible entities, for which we collect information, which so far are:
- vm instances
- volumes
- images
- flavors
- keystone tenants
- keystone users

Changed in fuel:
status: New → Confirmed
Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Bartlomiej Piotrowski (bpiotrowski)

An example for policy: http://paste.openstack.org/show/197018/ (thanks to Tatyanka)

Changed in fuel:
status: Confirmed → Triaged

Fix proposed to branch: master
Review: https://review.openstack.org/171561

Changed in fuel:
status: Triaged → In Progress
Changed in fuel:
assignee: Bartlomiej Piotrowski (bpiotrowski) → Fuel Library Team (fuel-library)
status: In Progress → Confirmed
status: Confirmed → Triaged
tags: added: feature-stats
removed: stats
Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)
Stanislaw Bogatkin (sbogatkin) wrote :

Seems that it is a little problematic to fix this bug in current release due to the fact that:

1. We need to create read-only oswl role in keystone and add workload user to it.
2. Need to change all according policies for all services that oswl use
3. I start digging from keystone. For keystone we need:
4. Move from v2 API to v3 due to the fact that keystone v2 API doesn't use policy file for RBAC and use admin user only [1]. It seems to be true everywhere (for RH, for example: [2])
5. If we move to API v3 then we cannot use cli part of python-keystoneclient (see [3]). It is bad for user expirience. I suppose, that it is done due to:
6. All cli parts from python-*client utilities slowly move to OpenStackClient (OSC) [4]. But OSC doesn't support part of functionality from old clients (for example, see neutron part from [5]). We cannot use python-neutronclient and OSC simultaneously, cause python-neutronclient doesn't support auth by keystone v3 API. I found some articles that said than if we will expose keystone api in format http://ip:port/ instead of http://ip:port/v2.0 or http://ip:port/v3 then newer clients will choose keystone API version that they support. Alas, our current clients cannot do this (and try to test every newest client for every service to create one read-only user will get too much time).

So, I move this bug to next release due to this huge amount of work that should be done to fix it now properly.

[1] https://bugs.launchpad.net/keystone/+bug/1350879
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1125333
[3] https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/shell.py#L402-L412
[4] http://docs.openstack.org/developer/python-openstackclient/
[5] https://wiki.openstack.org/wiki/OpenStackClient/Commands

Changed in fuel:
importance: High → Wishlist
status: Triaged → Won't Fix

Change abandoned by Bartłomiej Piotrowski (<email address hidden>) on branch: master
Review: https://review.openstack.org/171561

Aleksandr Didenko (adidenko) wrote :

Moved to 8.0, confirmed with developers and QA

tags: added: qa-agree-8.0
Dmitry Pyzhov (dpyzhov) on 2015-09-17
tags: added: feature
Dmitry Pyzhov (dpyzhov) on 2015-10-12
Changed in fuel:
assignee: Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)
milestone: 6.1 → 8.0
status: Won't Fix → Triaged
no longer affects: fuel/8.0.x
Dmitry Pyzhov (dpyzhov) on 2015-10-22
tags: added: area-library
Changed in fuel:
milestone: 8.0 → 9.0
status: Triaged → New
no longer affects: fuel/future
Artem Roma (aroma-x) on 2016-01-04
Changed in fuel:
status: New → Confirmed

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

expected result

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags: added: need-info
tags: removed: need-info
Changed in fuel:
milestone: 9.0 → 10.0
Dmitry Pyzhov (dpyzhov) wrote :

This is a feature request. Removing from the Mitaka release because we don't backport patches of this kind.

Dmitry Pyzhov (dpyzhov) on 2016-06-22
Changed in fuel:
assignee: Fuel Library (Deprecated) (fuel-library) → Fuel Sustaining (fuel-sustaining-team)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.