Remove the dependency between docker registry auth and keystone admin user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
Jerry Sun |
Bug Description
Brief Description
-----------------
Currently, the local docker registry authorization is setup such that the keystone'admin' user has push/pull permissions for ANY folder/repository. This dependency on the keystone admin user has caused issues when the keystone admin password is changed by the end user. See https:/
After discussing with Greg Waines, he suggested that the better option would be to remove the dependency between the docker registry authentication and the keystone admin user.
This is the suggested proposal:
- Auto create new 'registry' user under the 'services' project at bootstrap/install time
- with a randomly generated password ... stored in keyring
- ensure existing functionality to prevent password change to 'services' project users works for this user,
- populate existing K8S Secrets in kube-system namespace (default-
- remove change to update this key on admin/admin keystone password change
(revert the fix for https:/
- modify registry authorization to allow RW access to all images for this services/registry user
- in addition to existing admin/admin user ... just for initial backwards compatibility
Severity
--------
Major
System Configuration
-------
any
Branch/Pull Time/Commit
-------
any recent stx master load
Last Pass
---------
N/A
Timestamp/Logs
--------------
See LPs referenced in the Description
Test Activity
-------------
Code analysis
Workaround
----------
N/A
Changed in starlingx: | |
assignee: | nobody → Jerry Sun (jerry-sun-u) |
Changed in starlingx: | |
importance: | Undecided → High |
status: | New → Triaged |
tags: | added: stx.4.0 stx.containers stx.security |
Changed in starlingx: | |
status: | Triaged → In Progress |
Changed in starlingx: | |
status: | In Progress → Fix Released |
tags: | added: stx.retestneeded |
tags: | removed: stx.retestneeded |
Fix proposed to branch: master /review. opendev. org/736417
Review: https:/