OpenStack Compute (nova)

Allow admin to upload SSH keypair on behalf of an user

Bug #1450454 reported by Miroslav Suchý on 2015-04-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Wishlist	Unassigned

Bug Description

I am setting up OpenStack instance configuration in Ansible manifest, so in case of a failure, I can rebuild the instance. We have a lot of users and we have central storage of their ssh keys.

I can upload the SSH keys at early hours of OpenStack instance by:
nova --os-username USER1 --os-password USER1_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1

However this require that we track the password we initially set and I could not do that once user changes his password (and I do not know the password).
I can then do:
nova --os-username ADMIN --os-password ADMIN_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1
but then user1 does not see this keypair and is unable to manage his own key.

It would be nice if admin user can upload and delete ssh key on behalf of user. I.e. admin uploads ssh key for user and that user can see/delete that ssh key.

This way when user alter his ssh key on central repository, we can sync it to OpenStack. It will tighten security because we would not need to track users initial passwords separetely. And lower need of human assistance when reprovision whole OpenStack infrastructure.

Tags:

Eli Qiao (taget-9) on 2015-05-06

Changed in nova:
assignee:	nobody → Eli Qiao (taget-9)

Revision history for this message

Eli Qiao (taget-9) wrote on 2015-05-06:

currently keypair are uploaded per project, there is a spec related to your requirement.
but that one is let admin to query keypair of normal user.
if you have any requirement , please put comment on that one.
https://review.openstack.org/#/c/175579/

Revision history for this message

Miroslav Suchý (msuchy) wrote on 2015-05-06:

> currently keypair are uploaded per project
Despite the fact that you have to specify tenant when you are uploading keypair, it is visible from other tenants (to which the user have access to).

> if you have any requirement , please put comment on that one.
> https://review.openstack.org/#/c/175579/
I have not idea how internal openstack development processes looks like. I'm just power user. Therefore I will not go beyond thes bug (RFE) report.

Sylvain Bauza (sylvain-bauza) on 2015-05-07

Changed in nova:
importance:	Undecided → Wishlist
summary:	- RFE: allow admin to upload SSH keypair on behalf of an user + Allow admin to upload SSH keypair on behalf of an user
tags:	added: api security
tags:	removed: security
tags:	added: low-hanging-fruit
Changed in nova:
status:	New → Confirmed

Aniket Prabhu (iamthemananiket) on 2016-02-10

Changed in nova:
status:	Confirmed → New
status:	New → Confirmed

Revision history for this message

Sean Dague (sdague) wrote on 2016-04-18:

This is an API change which requires a spec. Closing as Opinion, because we aren't tracking feature requests here.

tags:	removed: low-hanging-fruit
Changed in nova:
status:	Confirmed → Opinion
assignee:	Eli Qiao (taget-9) → nobody

Revision history for this message

Matt Riedemann (mriedem) wrote on 2016-04-18:

See https://specs.openstack.org/openstack/nova-specs/readme.html for how to propose a spec for this.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.