We should assume that the admin credentials are already invalid. We have some possible options that I can think of
Create an additional user. The risk here is that it will be deleted, disabled or re-keyed as the same with admin. Use the existing service accounts (nova, neutron, keystone, cinder) (this is the plan for removing deps on ~/openrc) > The questions are: > > 1. Is anybody have feature, which also requires additional OpenStack > user? > > moving from admin / openrc back to service accounts > > 1. We need only readonly access for fetching workloads. But if anybody > want to use this user for other tasks, we can grant required rights to the > user. Should we create user with full access or restrict them to readonly > access? > > read only would be preferred, we should have the least amount of access possible to complete the snooping. It reduces attack surfaces > > 1. Is the credentials of user should be the same for all environments? > > I would attempt to keep them unique per env > > 1. Where the best place for storing credentials of the user? DB or > yaml? > > It will have to be sent to the yaml in order to get the deployment task to create it, but you will also want to store it in the db. > > 1. Should we have UI for changing credentials? > > Yes, we should probably be able to change the credential, however I could see it being postponed untill 7.0 > > 1. May be we should use 'admin' user credentials and just notify in > the UI if credentials are not valid and we can't collect workloads? > > We can and should consider the admin credentials invalid and should not use them Please, share your thoughts. > On Tue, Feb 10, 2015 at 3:02 AM, Alexander Kislitsky < akislit...@mirantis.com> wrote: > Folks, > > We are collecting OpenStack workloads stats. For authentication in the > keystone we are using admin user credentials from Nailgun. Credentials can > be changed directly in the OpenStack and we will loose possibility of > fetching information. > > This issue can be fixed by creation additional user account: > > 1. I propose to generate additional user credentials after master node > is installed and store it into master_node_settings table in the Nailgun. > 2. Add abstraction layer into > > https://github.com/stackforge/fuel-web/blob/master/nailgun/nailgun/statistics/utils.py#L47 > for creating additional user in the OpenStack if it isn't exists. > > But this additional user can be useful for other purposes and may be we > should save credentials in other place (settings.yaml for example). And may > be creation of the additional user should be implemented outside of stats > collecting feature and may be outside of Nailgun. > > Please share your thoughts on this. > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Andrew Mirantis Fuel community ambassador Ceph community
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev