Default admin_token usable on Keystone

Fix proposed to branch: master
Review: https://review.openstack.org/318582

Fix proposed to branch: master
Review: https://review.openstack.org/318589

Reviewed: https://review.openstack.org/318582
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=48f880e9572c63ed9d1e02ce1cf6f2c992dc82ac
Submitter: Jenkins
Branch: master

commit 48f880e9572c63ed9d1e02ce1cf6f2c992dc82ac
Author: Matthew Mosesohn <email address hidden>
Date: Thu May 19 14:26:53 2016 +0300

    Add service_token_off to keystone hash

    Adding service_token_off to astute.yaml lets us reuse
    a fuel-library single class to disable the keystone
    service token.

    Change-Id: Ia22163d572a581f2f159396346fbb83cbe7bee94
    Partial-Bug: #1582893

Fix proposed to branch: master
Review: https://review.openstack.org/319895

Reviewed: https://review.openstack.org/319895
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=4d886766206835f803844e8469d0ef2ed074b81d
Submitter: Jenkins
Branch: master

commit 4d886766206835f803844e8469d0ef2ed074b81d
Author: Matthew Mosesohn <email address hidden>
Date: Mon May 23 15:05:47 2016 +0300

    Add service_token_off to keystone hash

    Adding service_token_off to astute.yaml lets us reuse a
    fuel-library single class to disable the keystone service
    token.

    Change-Id: Idb7694b19792a6c43c2752867da7c34b995513d0
    Partial-Bug: #1582893

This is a potential security issue. Raising to High priority

This is nearly done for master. I'll get mitaka backports landed by Friday June 3

Reviewed: https://review.openstack.org/318589
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=4c884a0b566b598f84aea864b41302d4c3c4377e
Submitter: Jenkins
Branch: master

commit 4c884a0b566b598f84aea864b41302d4c3c4377e
Author: Matthew Mosesohn <email address hidden>
Date: Thu May 19 14:36:14 2016 +0300

    Delete service_token from keystone on Fuel Master

    Deletes keystone service token after deploying keystone
    to minimize security risk.

    Change-Id: I776644f727ce086369954f383a09b48b60bf11a5
    Depends-On: Idb7694b19792a6c43c2752867da7c34b995513d0
    Closes-Bug: #1582893

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/325301

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/325355

Reviewed: https://review.openstack.org/325355
Committed: https://git.openstack.org/cgit/openstack/fuel-menu/commit/?id=1a6c62256e2956f944db3be315a9341977f0f90e
Submitter: Jenkins
Branch: stable/mitaka

commit 1a6c62256e2956f944db3be315a9341977f0f90e
Author: Matthew Mosesohn <email address hidden>
Date: Mon May 23 15:05:47 2016 +0300

    Add service_token_off to keystone hash

    Adding service_token_off to astute.yaml lets us reuse a
    fuel-library single class to disable the keystone service
    token.

    Change-Id: Idb7694b19792a6c43c2752867da7c34b995513d0
    Partial-Bug: #1582893
    (cherry picked from commit 4d886766206835f803844e8469d0ef2ed074b81d)

Reviewed: https://review.openstack.org/325301
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=eaa1d8dbe90c92c9c32d7592cdaccbe036a721fb
Submitter: Jenkins
Branch: stable/mitaka

commit eaa1d8dbe90c92c9c32d7592cdaccbe036a721fb
Author: Matthew Mosesohn <email address hidden>
Date: Thu May 19 14:36:14 2016 +0300

    Delete service_token from keystone on Fuel Master

    Deletes keystone service token after deploying keystone
    to minimize security risk.

    Change-Id: I776644f727ce086369954f383a09b48b60bf11a5
    Depends-On: Idb7694b19792a6c43c2752867da7c34b995513d0
    Closes-Bug: #1582893
    (cherry picked from commit 4c884a0b566b598f84aea864b41302d4c3c4377e)

Fix proposed to branch: stable/6.1
Review: https://review.openstack.org/325809

Fix proposed to branch: stable/6.1
Review: https://review.openstack.org/325811

Reviewed: https://review.openstack.org/325809
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=818007fb41b9503e658f84d7f6b7b7a126be9b59
Submitter: Jenkins
Branch: stable/6.1

commit 818007fb41b9503e658f84d7f6b7b7a126be9b59
Author: Matthew Mosesohn <email address hidden>
Date: Mon Jun 6 13:01:51 2016 +0300

    Delete service_token from keystone on Fuel Master

    Deletes keystone service token after deploying keystone to
    minimize security risk.

    Adapted from Change-ID I776644f727ce086369954f383a09b48b60bf11a5

    Change-Id: Ie08121bdc3cdaa682201831f1253edd0b2659261
    Closes-Bug: #1582893

Verified on 9.0-mos #450

[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" "http://localhost:5000/v2.0/tenants"
...
< HTTP/1.1 401 Unauthorized
...
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $VALID_TOKEN" "http://localhost:5000/v2.0/tenants"
...
< HTTP/1.1 200 OK
< Server: nginx
...

[root@nailgun ~]# shotgun2 short-report
cat /etc/fuel_build_id:
 450
cat /etc/fuel_build_number:
 450
cat /etc/fuel_release:
 9.0
cat /etc/fuel_openstack_version:
 mitaka-9.0
rpm -qa | egrep 'fuel|astute|network-checker|nailgun|packetary|shotgun':
 fuel-release-9.0.0-1.mos6347.noarch
 fuel-provisioning-scripts-9.0.0-1.mos8723.noarch
 python-packetary-9.0.0-1.mos140.noarch
 fuel-bootstrap-cli-9.0.0-1.mos285.noarch
 fuel-migrate-9.0.0-1.mos8435.noarch
 rubygem-astute-9.0.0-1.mos748.noarch
 fuel-mirror-9.0.0-1.mos140.noarch
 shotgun-9.0.0-1.mos90.noarch
 fuel-openstack-metadata-9.0.0-1.mos8723.noarch
 fuel-notify-9.0.0-1.mos8435.noarch
 nailgun-mcagents-9.0.0-1.mos748.noarch
 python-fuelclient-9.0.0-1.mos323.noarch
 fuel-9.0.0-1.mos6347.noarch
 fuel-utils-9.0.0-1.mos8435.noarch
 fuel-setup-9.0.0-1.mos6347.noarch
 fuel-misc-9.0.0-1.mos8435.noarch
 fuel-library9.0-9.0.0-1.mos8435.noarch
 network-checker-9.0.0-1.mos74.x86_64
 fuel-agent-9.0.0-1.mos285.noarch
 fuel-ui-9.0.0-1.mos2715.noarch
 fuel-ostf-9.0.0-1.mos935.noarch
 fuelmenu-9.0.0-1.mos272.noarch
 fuel-nailgun-9.0.0-1.mos8723.noarch

9.0 save only wasn't refactored in Fuelmenu. It needs another patch to add keystone/service_token_off to /etc/fuel/astute.yaml during --save-only mode.

Verification steps:
1 - ensure /etc/fuel/astute.yaml doesn't contain service_token_off: "true"
2 - run fuelmenu --save-only
3 - ensure /etc/fuel/astute.yaml contains service_token_off: "true"
4 - remove service_token_off: "true" from /etc/fuel/astute.yaml
5 - run fuelmenu interactively and save and quit
6 - ensure /etc/fuel/astute.yaml contains service_token_off: "true"

Uploaded 7.0 and 8.0 patches to gerrit https://review.openstack.org/#/q/topic:bug/1582893+owner:astupnikov%2540mirantis.com

Marked as Released, because of it was verified by Andrey.

OK, everything was reviewed. We have to wait until 7.0-MU4 will be released to merge everything.

Verified on MOS 8.0 + mu2 updates.

Before:
[root@nailgun ~]# curl -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
{"tenants_links": [], "tenants": [{"description": "", "enabled": true, "id": "41ea0c3df4354c2f8a5aad8ecf071d9d", "name": "admin"}, {"description": "fuel services tenant", "enabled": true, "id": "23785dc92cb4494da98040e803540255", "name": "services"}]}
With fix:
[root@nailgun ~]# curl -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

Verified on MOS 6.1 + mu7 updates.

Before:
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
...
< HTTP/1.1 200 OK
After:
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
...
< HTTP/1.1 401 Unauthorized

Verified on MOS 7.0 + mu5 updates.

Before:
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
...
< HTTP/1.1 200 OK
After:
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
* About to connect() to localhost port 35357 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 35357 (#0)
> GET /v2.0/tenants HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:35357
> Accept: */*
> X-Auth-Token: Eoa5rGcW
>
< HTTP/1.1 401 Unauthorized
< Www-Authenticate: Keystone uri="http://localhost:35357"
< Vary: X-Auth-Token
< Content-Type: application/json
< Content-Length: 114
< Date: Wed, 10 Aug 2016 13:18:25 GMT
<
* Connection #0 to host localhost left intact
* Closing connection #0
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}[root@nailgun ~]# VALID_TOername": "admin", "password": "admin"}}}' http://localhost:5000/v2.0/tokens | python -c 'import sys, json; print(json.load(sys.stdin)["access"]["token"]["id"])')

Verified on 10.0 #1543.
[root@nailgun ~]# curl -v -s -X GET -H "X-Auth-Token: $DEFAULT_ADMIN_TOKEN" http://localhost:35357/v2.0/tenants
* About to connect() to localhost port 35357 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 35357 (#0)
> GET /v2.0/tenants HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:35357
> Accept: */*
> X-Auth-Token: EbwQCDQ5r5xP6oPtqZBijqDr
>
< HTTP/1.1 401 Unauthorized
< Date: Thu, 06 Apr 2017 12:58:03 GMT
< Server: Apache/2.4.6 (CentOS)
< Vary: X-Auth-Token
< x-openstack-request-id: req-83ba9a7b-b199-49b6-ac83-ab828516a806
< WWW-Authenticate: Keystone uri="http://localhost:35357"
< Content-Length: 114
< Connection: close
< Content-Type: application/json
<
* Closing connection 0
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}[root@nailgun ~]#