We should assume that the admin credentials are already invalid. We have
some possible options that I can think of
Create an additional user. The risk here is that it will be deleted,
disabled or re-keyed as the same with admin.
Use the existing service accounts (nova, neutron, keystone, cinder) (this
is the plan for removing deps on ~/openrc)
> The questions are:
>
>1. Is anybody have feature, which also requires additional OpenStack
>user?
>
> moving from admin / openrc back to service accounts
>
>1. We need only readonly access for fetching workloads. But if anybody
>want to use this user for other tasks, we can grant required rights to the
>user. Should we create user with full access or restrict them to readonly
>access?
>
> read only would be preferred, we should have the least amount of access
possible to complete the snooping. It reduces attack surfaces
>
>1. Is the credentials of user should be the same for all environments?
>
> I would attempt to keep them unique per env
>
>1. Where the best place for storing credentials of the user? DB or
>yaml?
>
> It will have to be sent to the yaml in order to get the deployment task to
create it, but you will also want to store it in the db.
>
>1. Should we have UI for changing credentials?
>
> Yes, we should probably be able to change the credential, however I could
see it being postponed untill 7.0
>
>1. May be we should use 'admin' user credentials and just notify in
>the UI if credentials are not valid and we can't collect workloads?
>
> We can and should consider the admin credentials invalid and should not
use them
Please, share your thoughts.
>
On Tue, Feb 10, 2015 at 3:02 AM, Alexander Kislitsky <
akislit...@mirantis.com> wrote:
> Folks,
>
> We are collecting OpenStack workloads stats. For authentication in the
> keystone we are using admin user credentials from Nailgun. Credentials can
> be changed directly in the OpenStack and we will loose possibility of
> fetching information.
>
> This issue can be fixed by creation additional user account:
>
>1. I propose to generate additional user credentials after master node
>is installed and store it into master_node_settings table in the Nailgun.
>2. Add abstraction layer into
>
> https://github.com/stackforge/fuel-web/blob/master/nailgun/nailgun/statistics/utils.py#L47
>for creating additional user in the OpenStack if it isn't exists.
>
> But this additional user can be useful for other purposes and may be we
> should save credentials in other place (settings.yaml for example). And may
> be creation of the additional user should be implemented outside of stats
> collecting feature and may be outside of Nailgun.
>
> Please share your thoughts on this.
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Andrew
Mirantis
Fuel community ambassador
Ceph community
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
