/root/openrc is used for Neutron scripts

I would not consider this bug as a critical one. First of all, if you change administrator user/password, then you need just to update openrc file on all the controllers. In case you want to do it automatically, using FUEL, you can use FUEL CLI and update access hash for admin user credentials, upload it and redeploy controller nodes by issuing HTTP PUT request to http://<fuel>:8000/api/deploy?nodes=1,3,5 . In case of cluster scale-up you can update cluster data the same way and simply click 'deploy changes' button that will redeploy all the controllers and update openrc file correspondingly.

Vladimir,
1. Please provide answer for every occurrence of /root/openrc in sources, whether it's used, and what it affects. Also, respond on my questions, including the one on how it affects scale up. We can not simply close this as Won't fix.
2. If we are so late in the dev cycle that we can't really fix it properly, then we must do:
a) Put a header in openrc file clearly explaining for what this file is used, that it should not be removed and reference to this bug.
b) provide step-by-step instruction on how to workaround the issue for docs team. "HTTP PUT request to http://<fuel>:8000/api/deploy?nodes=1,3,5 ." is not sufficient.

I believe we should
1) create additional user in admin (or if it is possible, in service) tenant at the deployment stage,
2) use erb templates to put it into the right places (scripts which rely on openrc)
3) put the note into the docs about this special user and its important role. So, If the user will change its password, he should as well update it in specified files.

Can we avoid using a user at all, and use service token only? In worst case, use user only for the first run, and use service token once it's created.

AFAIK, we will need then a cluster lifetime token which is barely possible or secure solution. And we still need a user in order to get a new token once it expired. Perhaps, keystone trusts could help as well https://wiki.openstack.org/wiki/Keystone/Trusts

I mean we will need a dedicated user anyway. But trusts could help us to make a completely "right less" service user which is allowed only to get a tokens from keystone

So, 1st, at the deployment stage, we should create a user in service tenant with the only permission to get a tokens. Next, at the deployment stage, we delegate a permissions we want to get for service scripts in a trust creation request for that user. Once done, we could safely use a credentials of that user in the service scripts to get the token with a special permissions granted and use it to perform a required tasks with a delegated rights. The main points:
1) Credentials we use in script will allow nothing more than get a token
2) If credentials got compromised, cloud admin could just remove the trust. That would stop service scripts from operating, of cause. So, cloud admin should then as well change the password, recreate the trust and update the password in a service scripts (should be a documented flow for this)

Please correct me, if I understand the trusts and delegations wrong :-)

Related fix proposed to branch: master
Review: https://review.openstack.org/158091

Related fix proposed to branch: master
Review: https://review.openstack.org/158995

Fix proposed to branch: master
Review: https://review.openstack.org/158996

Reviewed: https://review.openstack.org/158091
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=498cb1d2479464e03a2b349cd696c8e7fb4a8f08
Submitter: Jenkins
Branch: master

commit 498cb1d2479464e03a2b349cd696c8e7fb4a8f08
Author: Andrew Woodward <email address hidden>
Date: Sat Feb 21 13:15:37 2015 -0800

    Move admin user and openrc up so that its not relied on

    The admin user defined in nailgun should not be used for any service
    purpose. This pulls the user out of the lower levels of the manifests
    so that it's harder to abuse this as a usage.

    Commonly other modules have an their own admin {user,password,tenant}
    parameters which should not be confused with this admin user which is
    only for the enduser to consume.

    Related-bug: #1396594
    Related-bug: #1347542

    Change-Id: Ie991a64617919727724638d582af301ee4519655

Related fix proposed to branch: master
Review: https://review.openstack.org/164038

Reviewed: https://review.openstack.org/164038
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=f9d7cea16048b1805908d3d61fe930fbd0aa0f7d
Submitter: Jenkins
Branch: master

commit f9d7cea16048b1805908d3d61fe930fbd0aa0f7d
Author: Andrew Woodward <email address hidden>
Date: Tue Mar 10 16:12:22 2015 -0700

    Remove un-used filter_quantum_ports.py

    I can find no evidence of filter_quantum_ports.py being used by the
    components we deploy, therefor it should be removed.

    Change-Id: I5d830bf43cc4958700e53a3126b60dee4a0b1a87
    Related-bug: #1347542
    Related-bug: #1396594

Reviewed: https://review.openstack.org/158996
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=fa44e4ac5ef4428e58b4d1c8e93ba57b58e15818
Submitter: Jenkins
Branch: master

commit fa44e4ac5ef4428e58b4d1c8e93ba57b58e15818
Author: Andrew Woodward <email address hidden>
Date: Sun Feb 22 08:58:09 2015 -0800

    Remove openrc/admin-token usage in q-agent-cleanup.py

    Removes the openrc/admin-token deps in q-agent-cleanup.py. Instead it will
    read the neutron service credentials out of neutron.conf. This has the
    advantage that it must be up to date for neutron to function so if the
    credential is modified it will have to be updated by the administrator.

    Related-bug: #1347542
    Closes-bug: #1396594

    Change-Id: Iee0968a079deacef24b56f34e9314b0ebecad0ae

Reviewed: https://review.openstack.org/158995
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=39ffb27264509b5f7722922847efe9c4567d3045
Submitter: Jenkins
Branch: master

commit 39ffb27264509b5f7722922847efe9c4567d3045
Author: Andrew Woodward <email address hidden>
Date: Tue Feb 24 17:12:12 2015 -0800

    Dont rely on /root/openrc

    Instead of relying on the presence of /root/openrc file all calls should
    asume it doesn't exist and pass credentials, or set up the env vars
    themselves. In these cases we use existing service users instead of the
    more volitile admin credentials.

    We still create /root/openrc, but it's use is only for the end user.

    Also removes the old and unused openstack::test_file

    Related-bug: #1396594
    Related-bug: #1347542

    Change-Id: I66a20d09d8515f21a7c71a6b8056bc483f6ea3f6

Fix proposed to branch: stable/6.0
Review: https://review.openstack.org/192127

Related fix proposed to branch: stable/6.1
Review: https://review.openstack.org/194961

Reviewed: https://review.openstack.org/194961
Committed: https://git.openstack.org/cgit/stackforge/fuel-docs/commit/?id=0e26e7d7cc153d179ec34985645dd23cdd239ddb
Submitter: Jenkins
Branch: stable/6.1

commit 5cc5f0c643aebecaf3bf4580535a3ea7c3334a6c
Author: Mike Scherbakov <email address hidden>
Date: Tue Jun 23 13:43:35 2015 -0700

    Removed streamlined patching backend pieces

    Change-Id: I955e76ccdbd12a9145f4e9b689f80bdf9fcaf929

commit 563c4b5c78ebfcb1f4f91047c2919f6270f9a1d4
Author: Mike Scherbakov <email address hidden>
Date: Tue Jun 23 13:30:30 2015 -0700

    Removed outdated patching guide

    Change-Id: I76180c277789ade9c5ebedd19fe2092847c0b7d9

commit 8d120c14bec1ab41d448683ad146a3053a57c4ee
Author: Irina Povolotskaya <email address hidden>
Date: Tue Jun 23 19:59:11 2015 +0300

    Add dual hypervisor ref arch into 6.1 docs

    Change-Id: I900c24c9de878eafadbfc995aa879b7f55737fac

commit feebd1592d3305b64bbdfd0bc5fe108190aef120
Author: OlgaGusarenko <email address hidden>
Date: Tue Jun 23 18:38:17 2015 +0300

    [OPs guide] Running Ceilometer section edits

    1. conf file extract is updated
    2. note is updated

    Closes-bug: 1467817
    Change-Id: I0217e164108e0ba6c1397045a5e57d13ff429223

commit 44a93f9dead7511a3461ec35248dbb689c81eafd
Author: OlgaGusarenko <email address hidden>
Date: Tue Jun 23 18:04:40 2015 +0300

    [RN6_1] Final changes

    1. capitalization
    2. 2014.2 to 2014.2.2
    3. general improvements

    Change-Id: I45057e90c90550559f66bc67ccdf97a559fd9000

commit bb41389cae58084285688853281516b659686422
Author: evkonstantinov <email address hidden>
Date: Tue Jun 23 16:45:35 2015 +0300

    Update patching decription

    Update patching description with
    the standard Linux commands.

    Change-Id: Ia1a8346639c468fdfce15a11d2430bf3a4731244

commit bf3018fae3f2e564413d33aba6cdebf8868f0b4e
Author: OlgaGusarenko <email address hidden>
Date: Tue Jun 23 15:55:49 2015 +0300

    [RN6_1] Clean up

    1. Rearranges sections
    2. Improves RST
    3. Changes titles order

    Change-Id: I6110bf515667d3d6ba08ad35ff5d593dbc96641e

commit 1c7e4457808e8f2d6c56fdf31252170972e444b9
Author: Maria Zlatkova <email address hidden>
Date: Tue Jun 23 15:26:28 2015 +0300

    Replaces VBOX screenshots

    This patch:
    - replaces VBOX screenshots
    - changes the link for Download Mirantis VirtualBox scripts
     to https://docs.mirantis.com/openstack/fuel/fuel-master/#downloads

    Change-Id: I58dede960c5c3355d39b07ff44b757403f6af02c
    Closes-Bug: #1467872

commit 0a568bf53fc0e25d1d692d5d74b4a7b4d983bbcc
Author: evkonstantinov <email address hidden>
Date: Tue Jun 23 14:01:55 2015 +0300

    6.1 --separate repos

    change wording and add links to the
    separate repos feature.

    Change-Id: Ib5d0778a0d8f1534f79ed2f553574cb69a3150b0

commit 95a188b21cbdd064d92696b7920e6a0105fe0c56
Author: Maria Zlatkova <email address hidden>
Date: Tue Jun 23 12:07:28 2015 +0300

    Corrects the output 'pcs status'

    Changes the example outputs to appropriate ones.

    Change-Id: Ib6d83...

Reviewed: https://review.openstack.org/192127
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=fa790193cbe218539ba341080815c4ead5a7fd12
Submitter: Jenkins
Branch: stable/6.0

commit fa790193cbe218539ba341080815c4ead5a7fd12
Author: Andrew Woodward <email address hidden>
Date: Sun Feb 22 08:58:09 2015 -0800

    Remove openrc/admin-token usage in q-agent-cleanup.py

    Removes the openrc/admin-token deps in q-agent-cleanup.py. Instead it will
    read the neutron service credentials out of neutron.conf. This has the
    advantage that it must be up to date for neutron to function so if the
    credential is modified it will have to be updated by the administrator.

    Related-bug: #1347542
    Closes-bug: #1396594

    Conflicts:
     deployment/puppet/cluster/files/q-agent-cleanup.py
     utils/jenkins/python-test-requirements.txt

    Change-Id: Iee0968a079deacef24b56f34e9314b0ebecad0ae