[RFE] General baremetal node auth and token passing mechanism
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ironic |
Fix Released
|
Wishlist
|
Unassigned | ||
Bug Description
Goals of this proposal are:
1) Improving baremetal node authentication
2) Secure way for passing auth token to node
Define security levels for node auth:
0 - no auth
1 - auth with hardware id (like S/N of bios, hdd etc.)
3 - auth with user pre-share key
This value should be stored in node secure storage.
1) Before deploy user sets some values for node in secure storage via Ironic API,
like this:
{
"hardware_id": sha1(sha1(
"user_key": sha1(sha1(user_key) + node_uuid)
....
"vendor_sn": sha1(sha1(
}
2) Node pass own info via special API method for node
{
"hardware_id": sha1(hardware_id)
"user_key": sha1(sha1(user_key)
....
"vendor_sn": sha1(sha1(
}
3) Ironic compares this data sets, and disallow operation with node if 1 or more keys does not match or too few parameters for defined security level.
4) Ironic uses Keystone OS-OAUTH1 extension for grant temporary access to the API,
(should validate request token from node):
http://
| Vladyslav Drok (vdrok) wrote | #1 |
| Changed in ironic: | |
| status: | New → Confirmed |
| importance: | Undecided → Wishlist |
| tags: | added: rfe |
| Jim Rollenhagen (jim-rollenhagen) wrote | #2 |
| tags: | added: needs-spec |
| Julia Kreger (juliaashleykreger) wrote | #3 |
| Changed in ironic: | |
| status: | Confirmed → Fix Released |
Depends on bug 1526745