[RFE] Configuration of shared IPMI credentials

Bug #1526365 reported by Vladyslav Drok
4
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Confirmed
Wishlist
Unassigned

Bug Description

Ironic reference driver uses an out of band management channel for power management, node restart and later for low level node monitoring purposes. For channel establishment, Ironic conductor shall pass IPMI authentication procedure using a pre-shared secret. Currently, security credentials used for authentication are configured in Ironic Database via the RESTful API, and activation of the credentials on the BMC side shall be performed via an external manner.

This blueprint suggests a method to generate, share and configure BMC secret without manual intervention in the following scenarios:
1 Generation and sharing a secret on automatic node discovery
2 Generation and sharing a secret on explicit REST API requests
3 Extension of the procedures above when using an external secret store e.g. Barbican is used

For this purpose:
- Ironic Agent is to be extended with a new API and new service to update BMC user credentials via in-band method, not requiring authentication
- Ironic API is extended with a new vendor passthrough method for setting new BMC password
- IPMI/PXE driver is updated to generate and store secret on node discovery and on explicit API, and to send it to the Ironic Agent
- IPMI/PXE driver is updated to optionally use an external secret storage (Barbican)

Tags: needs-spec rfe
Vladyslav Drok (vdrok)
Changed in ironic:
status: New → Confirmed
importance: Undecided → Wishlist
tags: added: rfe
Revision history for this message
Jim Rollenhagen (jim-rollenhagen) wrote :

This will need a spec.

tags: added: needs-spec
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.