StarlingX

Remove the dependency between docker registry auth and keystone admin user

Bug #1882117 reported by Ghada Khalil on 2020-06-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Jerry Sun

Bug Description

Brief Description
-----------------
Currently, the local docker registry authorization is setup such that the keystone'admin' user has push/pull permissions for ANY folder/repository. This dependency on the keystone admin user has caused issues when the keystone admin password is changed by the end user. See https://bugs.launchpad.net/starlingx/+bug/1853017 for more details. The current fix monitors keystone admin user changes and updates the registry authentication accordingly. However, recently it was determined that containerd also requires the registry authentication information; see https://bugs.launchpad.net/starlingx/+bug/1881353

After discussing with Greg Waines, he suggested that the better option would be to remove the dependency between the docker registry authentication and the keystone admin user.

This is the suggested proposal:
- Auto create new 'registry' user under the 'services' project at bootstrap/install time
    - with a randomly generated password ... stored in keyring
    - ensure existing functionality to prevent password change to 'services' project users works for this user,
    - populate existing K8S Secrets in kube-system namespace (default-registry-key and registry-local-secret), with credentials for this user
          - remove change to update this key on admin/admin keystone password change
(revert the fix for https://bugs.launchpad.net/starlingx/+bug/1853017)
    - modify registry authorization to allow RW access to all images for this services/registry user
          - in addition to existing admin/admin user ... just for initial backwards compatibility

Severity
--------
Major

System Configuration
--------------------
any

Branch/Pull Time/Commit
-----------------------
any recent stx master load

Last Pass
---------
N/A

Timestamp/Logs
--------------
See LPs referenced in the Description

Test Activity
-------------
Code analysis

Workaround
----------
N/A

Tags:

Ghada Khalil (gkhalil) on 2020-06-04

Changed in starlingx:
assignee:	nobody → Jerry Sun (jerry-sun-u)

Ghada Khalil (gkhalil) on 2020-06-08

Changed in starlingx:
importance:	Undecided → High
status:	New → Triaged
tags:	added: stx.4.0 stx.containers stx.security

Ghada Khalil (gkhalil) on 2020-06-15

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Fix proposed to containers (master)

Fix proposed to branch: master
Review: https://review.opendev.org/736417

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/736419

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/736420

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-21: Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/737195

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-22: Fix merged to containers (master)

Reviewed: https://review.opendev.org/736417
Committed: https://git.openstack.org/cgit/starlingx/containers/commit/?id=9aed7196fa8e989fc090161f5b5a92c9ddbeab3e
Submitter: Zuul
Branch: master

commit 9aed7196fa8e989fc090161f5b5a92c9ddbeab3e
Author: Jerry Sun <email address hidden>
Date: Wed Jun 17 22:37:28 2020 -0400

Promote sysinv to registry admin

    This commit gives 'registry admin' powers to the 'sysinv' user for
    pushing and pulling all repos. Using sysinv instead of the keystone
    admin will prevent lockout of the keystone admin user if the
    credentials change. The old 'admin' will continue to have admin
    powers.

Partial-bug: 1882117

Change-Id: I0544525e218a7a16d560e2a96c2a878696b75837
Signed-off-by: Jerry Sun <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-23: Change abandoned on stx-puppet (master)

Change abandoned by Jerry Sun (<email address hidden>) on branch: master
Review: https://review.opendev.org/737195
Reason: no longer adding a new user to act as a registry admin, using existing sysinv instead

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-06-23:

Attempts to add a new registry user over an upgrade from 20.04 to 20.06 have failed. Instead, we agreed to transition to using the sysinv user as a registry admin. This will achieve the same goal of decoupling the registry access from the keystone admin user

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-24: Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/736419
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=fed463e024918c6224b572741f022005066b49be
Submitter: Zuul
Branch: master

commit fed463e024918c6224b572741f022005066b49be
Author: Jerry Sun <email address hidden>
Date: Wed Jun 17 22:41:21 2020 -0400

Update ansible to use sysinv user for registry

This commit makes ansible use 'sysinv' to access the registry
instead of 'admin'

Partial-bug: 1882117
Depends-On: https://review.opendev.org/#/c/736417/

Change-Id: Id0109fa5d1c83dc6fed7248fda7fbb8b4a09602a
Signed-off-by: Jerry Sun <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-24: Fix merged to config (master)

Reviewed: https://review.opendev.org/736420
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=95232accec4ed2b09a582061709b32855038db8f
Submitter: Zuul
Branch: master

commit 95232accec4ed2b09a582061709b32855038db8f
Author: Jerry Sun <email address hidden>
Date: Wed Jun 17 22:42:44 2020 -0400

Update sysinv to use sysinv as registry user

This commit makes sysinv use 'sysinv' to access the registry
instead of 'admin'

Partial-bug: 1882117
Depends-On: https://review.opendev.org/#/c/736419/

Change-Id: Ibdfeccf950fae7376e7f98d697a7066c95f28b9e
Signed-off-by: Jerry Sun <email address hidden>

Ghada Khalil (gkhalil) on 2020-06-24

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2020-06-27

tags:

added: stx.retestneeded

Ghada Khalil (gkhalil) on 2021-10-27

tags:

removed: stx.retestneeded

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.