Allow admin to upload SSH keypair on behalf of an user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
I am setting up OpenStack instance configuration in Ansible manifest, so in case of a failure, I can rebuild the instance. We have a lot of users and we have central storage of their ssh keys.
I can upload the SSH keys at early hours of OpenStack instance by:
nova --os-username USER1 --os-password USER1_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1
However this require that we track the password we initially set and I could not do that once user changes his password (and I do not know the password).
I can then do:
nova --os-username ADMIN --os-password ADMIN_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1
but then user1 does not see this keypair and is unable to manage his own key.
It would be nice if admin user can upload and delete ssh key on behalf of user. I.e. admin uploads ssh key for user and that user can see/delete that ssh key.
This way when user alter his ssh key on central repository, we can sync it to OpenStack. It will tighten security because we would not need to track users initial passwords separetely. And lower need of human assistance when reprovision whole OpenStack infrastructure.
Changed in nova: | |
assignee: | nobody → Eli Qiao (taget-9) |
Changed in nova: | |
importance: | Undecided → Wishlist |
summary: |
- RFE: allow admin to upload SSH keypair on behalf of an user + Allow admin to upload SSH keypair on behalf of an user |
tags: | added: api security |
tags: | removed: security |
tags: | added: low-hanging-fruit |
Changed in nova: | |
status: | New → Confirmed |
Changed in nova: | |
status: | Confirmed → New |
status: | New → Confirmed |
currently keypair are uploaded per project, there is a spec related to your requirement. /review. openstack. org/#/c/ 175579/
but that one is let admin to query keypair of normal user.
if you have any requirement , please put comment on that one.
https:/