Hey guys. I've been working on making Fuel not to rely on superuser privileges at least for day-to-day operations. These include: a) running Fuel services (nailgun, astute etc) b) user operations (create env, deploy, update, log in)
The reason for this is that many security policies simply do not allow root access (especially remote) to servers/environments. This feature/enhancement means that anything that currently is being run under root, will be evaluated and, if possible, put under a non-privileged user. This also means that remote root access will be disabled. Instead, users will have to log in with "fueladmin" user. Together with Omar <gomarivera> we've put together a blueprint[0] and a spec[1] for this feature. I've been developing this for Fuel 6.1, so there are two patches into fuel-main[2] and fuel-library[3] that can give you an impression of current approach. These patches do following: - Add fuel-admin-user package, which creates 'fueladmin' - Make all other fuel-* packages depend on fuel-admin-user - Put supervisord under 'fueladmin' user. Please review the spec/patches and let's have a discussion on the approach to this feature. Thank you. [0] https://blueprints.launchpad.net/fuel/+spec/fuel-nonsuperuser [1] https://review.openstack.org/243340 [2] https://review.openstack.org/243337 [3] https://review.openstack.org/243313 -- Dmitry Nikishov, Deployment Engineer, Mirantis, Inc.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev