tripleo

enable-ssh-admin.sh uploads private key to Mistral

Bug #1724578 reported by Jiří Stránský on 2017-10-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Jiří Stránský	tripleo queens-1

Bug Description

So far we haven't documented enable-ssh-admin.sh usage for end users, we only used it in CI. To be able to recommend it for operators, we should stop uploading the specified private key to Mistral, and find another way to let Mistral get initial control over the machines, e.g. by creating a short-lived key specifically for the enable-ssh-admin.sh script.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-18: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/513031

Changed in tripleo:
assignee:	nobody → Jiří Stránský (jistr)
status:	Triaged → In Progress

Jiří Stránský (jistr) on 2017-10-18

tags:

added: pike-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-22: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/513031
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b0e72c1413c9441aa592b56583e87715e7096152
Submitter: Zuul
Branch: master

commit b0e72c1413c9441aa592b56583e87715e7096152
Author: Jiri Stransky <email address hidden>
Date: Wed Oct 18 15:19:44 2017 +0200

Create short lived ssh key for enable-ssh-admin.sh

    Instead of using the key provided by user on the command line, create
    a new short-lived key, give it to Mistral to create a tripleo-admin
    user with it, and remove the short-lived key.

    Co-Authored-By: John Fulton <email address hidden>
    Change-Id: I6e6ed83fa62319d59d7289b16a1412a340ea6b26
    Closes-Bug: #1724578

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-23: Fix proposed to tripleo-heat-templates (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/514363

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-24: Fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/514363
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=492031afd388121cf62643812c5af59d823d0669
Submitter: Zuul
Branch: stable/pike

commit 492031afd388121cf62643812c5af59d823d0669
Author: Jiri Stransky <email address hidden>
Date: Wed Oct 18 15:19:44 2017 +0200

Create short lived ssh key for enable-ssh-admin.sh

    Instead of using the key provided by user on the command line, create
    a new short-lived key, give it to Mistral to create a tripleo-admin
    user with it, and remove the short-lived key.

    Co-Authored-By: John Fulton <email address hidden>
    Change-Id: I6e6ed83fa62319d59d7289b16a1412a340ea6b26
    Closes-Bug: #1724578
    (cherry picked from commit b0e72c1413c9441aa592b56583e87715e7096152)