Authorize nova created ipa account to access Vault

Bug #1721003 reported by Cédric Jeanneret deactivated
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
novajoin
Undecided
Unassigned

Bug Description

Hello!

Since freeipa 4.5, a new service is included: Vault. Its backend is Custodia, and it would be really cool that novajoin add related permissions in order to let "nova" access that new service.

Thank you :)

Cheers,

C.

summary: - Authorize nova created ip account to access Vault
+ Authorize nova created ipa account to access Vault
Revision history for this message
Rob Crittenden (rcritten) wrote :

Not sure what you have in mind here. The nova interaction with IPA via novajoin is to manage IPA host entries when nova instances are created or destroyed.

What would you have nova do with the vault?

Revision history for this message
Cédric Jeanneret deactivated (cjeanneret-c2c-deactivated) wrote :

Hello Rob,

Here's some context:
I'm coding a script that will allow to get a let's encrypt certificate and share it between the controllers for CloudDomain domain.

Thus, it would be good if the overcloud nodes could access Vault service using the keytab they get when registered in IPA using the novajoin on the undercloud.

That way, my script will be able to:
- securely access the secret storage containing private key, certificate and chain
- ensure accesses are authenticated (with the keytab)
- ensure the authenticated principal is allowed to access the vault

Plus, doing so would prevent the need to get a standalone custodia running somewhere.

Does it make sense?

Cheers,

C.

Revision history for this message
Rob Crittenden (rcritten) wrote :

I guess it depends on what operations you want the novajoin user to be able to perform.

In the broadest case you could create a new role in IPA and add the privilege 'Vault Administrators' and assign the nova service principal. I think this should do it:

$ ipa role-add 'Vault Access'
$ ipa role-add-privilege 'Vault Access' --privilege 'Vault Administrators'
$ ipa role-add-member 'Vault Access' --service nova/undercloud.example.com

This would allow the nova keytab to manage vaults.

If you wanted to limit the operations you'd need to create a more targeted privilege and add th at to some role.

Revision history for this message
Cédric Jeanneret deactivated (cjeanneret-c2c-deactivated) wrote :

Hmm yep. That's for the undercloud rights - for the overcloud, I think it would be a bit less "admin": undercloud might create a sharedVault and add the roles it creates for the hosts to that shared vault. That would be the smartest.

Could that feature be added to novajoin?

Cheers,

C.

Revision history for this message
Raildo Mascena de Sousa Filho (raildo) wrote :

Hi Cédric,

I don't know if you have heard about Castellan: https://wiki.openstack.org/wiki/Castellan, but we are developing two new drivers for it: the first one for Vault: https://review.openstack.org/#/c/483080/ and we are planning to develop another one for Custodia, that will be very similar to that one.

So I just didn't understand so much how that interaction between Vault and Custodia works for your use case, but can you confirm that drivers will cover what you want or do you need any extra feature for that?

Cheers,

Revision history for this message
Cédric Jeanneret deactivated (cjeanneret-c2c-deactivated) wrote :

Hello Raildo,

Oh, nope, I wasn't aware of that Castellan, though I know a bit about Barbican.

Just so that you know: Custodia is the internal backend of IPA Vault service - my intend is "just" to be able to access IPA Vault using the novajoin generated principals on the openstack Controllers.

Please note that I'm mainly speaking about TripleO deployment, meaning the "secret storage" service (whatever it is) must be either external to the tripleO env (like an already running FreeIPA), or existing on the undercloud (like a local Custodia running on the undercloud server - my first iteration).
Hence, Castellan should be available from the overcloud-full image and so on.

Thanks for the pointer to that possibility, I'll keep an eye on the project :).

Cheers,

C.

Revision history for this message
Cédric Jeanneret deactivated (cjeanneret-c2c-deactivated) wrote :

oh and I'm speaking about IPA Vault, not the Hashicorp Vault thinggy. Of course, projects having the same name are a trend ;).

Cheers,

C.

Changed in novajoin:
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers