Sahara

[Docs] "admin" term is confusing is savanna

Bug #1238565 reported by Andrew Lazarev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sahara
Fix Released
Low
Matthew Farrellee
Sahara 0.3

Bug Description

In savanna.conf we have os_admin_username, os_admin_password, os_admin_tenant_name parameters. This is just user for tokens check, not Openstack admin.

In Context class we have is_admin field. It means that we are ignoring tenant working with DB.

In both cases "admin" term is frustrating. In first case it should be something like "token manager". In the second it should be linked with DB somehow.

So, we should ensure that docs contain enough info about os_admin_* user responsibilities.

See original description
Tags: docs
Revision history for this message
Sergey Lukjanov (slukjanov) wrote :

It's the common practice to use such naming - https://github.com/openstack/nova/blob/master/etc/nova/api-paste.ini#L121

Revision history for this message
Matthew Farrellee (mattf) wrote :

It's true that right now "os_admin_username/password" can be easily confused with the need for "THE admin user" credentials, instead of "AN admin level user for auth checks" credentials.

We should be looking into setting up a savanna user similar to the cinder, glance, nova, etc users. Admin level accounts that can only be used for auth checks.

Revision history for this message
Sergey Lukjanov (slukjanov) wrote :

Matt, we're already using such only-auth-token-check users, so, that's not a bug, but we can keep it to ensure that enough info exists in docs on this topic.

summary: - "admin" term is confusing is savanna
+ [Docs] "admin" term is confusing is savanna
tags: added: docs
description: updated
Changed in savanna:
status: New → Confirmed
importance: Undecided → Low
milestone: none → icehouse-2
Sergey Lukjanov (slukjanov)
Changed in savanna:
status: Confirmed → Triaged
milestone: icehouse-2 → icehouse-1
Matthew Farrellee (mattf)
Changed in savanna:
assignee: nobody → Matthew Farrellee (farrellee)
Revision history for this message
Matthew Farrellee (mattf) wrote :

I went through the current docs and help messages, and they appear clear to me. The main reference being in main.py,

    cfg.StrOpt('os_admin_username',
               default='admin',
               help='This OpenStack user is used to verify provided tokens. '
                    'The user must have admin role in <os_admin_tenant_name> '
                    'tenant'),
    cfg.StrOpt('os_admin_password',
               default='nova',
               help='Password of the admin user'),
    cfg.StrOpt('os_admin_tenant_name',
               default='admin',
               help='Name of tenant where the user is admin')

I think this has been addressed in the 0.3 release already. If you disagree please re-open and point to the confusing text.

Note for searchers, we don't talk about how to use a user other than "admin", here's a quick recipe -

If using default admin account,
   SAVANNA_TENANT=$OS_TENANT_NAME
   SAVANNA_USER=$OS_USERNAME
   SAVANNA_PASSWORD=$OS_PASSWORD
 else,
   SAVANNA_TENANT=services
   SAVANNA_USER=savanna
   SAVANNA_PASSWORD=$(uuidgen)
   # Adapted from /usr/share/keystone/sample_data.sh
   function get_id { echo `"$@" | grep ' id ' | awk '{print $4}'`; }
   ADMIN_ROLE=$(get_id keystone role-get admin)
   SERVICE_TENANT_ID=$(get_id keystone tenant-get $SAVANNA_TENANT)
   SAVANNA_USER_ID=$(get_id keystone user-create --name=$SAVANNA_USER --pass="${SAVANNA_PASSWORD}")
   keystone user-role-add --user-id $SAVANNA_USER_ID --role-id $ADMIN_ROLE --tenant-id $SERVICE_TENANT_ID

openstack-config --set /etc/savanna/savanna.conf DEFAULT os_admin_tenant_name $SAVANNA_TENANT
openstack-config --set /etc/savanna/savanna.conf DEFAULT os_admin_username $SAVANNA_USER
openstack-config --set /etc/savanna/savanna.conf DEFAULT os_admin_password $SAVANNA_PASSWORD

I make no claim that uuidgen is a legit password!

Changed in savanna:
milestone: icehouse-1 → none
status: Triaged → Fix Released
Sergey Lukjanov (slukjanov)
Changed in savanna:
milestone: none → 0.3
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.