Re: [openstack-dev] [Sahara] Why Sahara request user to give username/password for accessing the job binary in Swift ?

[michael mccune]

hi chen, responses inline

On 07/06/2015 04:38 AM, Li, Chen wrote:

Thanks. This is very helpful.

A little more questions about how to config:

1.  What should be set in [keystone_authtoken] in sahara.conf ?
   As code at 
https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L165.
   Looks like admin_user & admin_password & admin_tenant_name" must be set, 
and the proxy_domin must be created by the admin_user.
   But after a clean devstack installation, my sahara.conf only has:
 [keystone_authtoken]
 signing_dir = /var/cache/sahara
 cafile = /opt/stack/data/ca-bundle.pem
 auth_uri = http://192.168.6.91:5000
 project_domain_id = default
 project_name = service
 user_domain_id = default
 password = 123456
 username = sahara
 auth_url = http://192.168.6.91:35357
 auth_plugin = password

   I'm really confused, these configurations all looks very similar.



that's a good question, i'm not sure what devstack does by default when 
creating sahara's configuration. i notice that in my local configuration 
file i do have values for admin_user, admin_password, and 
admin_tenant_name, but these were not generated by devstack. i wonder if 
we have an error or perhaps there are default values for these?


as for the proxy domain options, use_domain_for_proxy_users and 
proxy_user_domain_name, these must be added by the administrator (you) 
for devstack, and they must be in the DEFAULT section. in devstack you 
could set these parameters by adjusting your local.conf to contain 
something like:



[[post-config|$SAHARA_CONF_FILE]]
[DEFAULT]
use_domain_for_proxy_users=True
proxy_user_domain_name=sahara_proxy


of course, changing "sahara_proxy" to the name of the proxy domain you 
have created for use.




2. More other configurations must be set ?
 Such as:
 [DEFAULT]
use_identity_api_v3= True


i think using v3 is a good idea with this feature. i haven't tested it 
in v2, but i probably should and make some notes to the documentation 
accordingly. thanks!



regards,
mike


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Sahara] Why Sahara request user to give username/password for accessing the job binary in Swift ?

[Li, Chen]

Thanks. This is very helpful.

A little more questions about how to config:

1.  What should be set in [keystone_authtoken] in sahara.conf ?
  As code at 
https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L165.
  Looks like admin_user & admin_password & admin_tenant_name" must be set, 
and the proxy_domin must be created by the admin_user.
  But after a clean devstack installation, my sahara.conf only has:
[keystone_authtoken]
signing_dir = /var/cache/sahara
cafile = /opt/stack/data/ca-bundle.pem
auth_uri = http://192.168.6.91:5000
project_domain_id = default
project_name = service
user_domain_id = default
password = 123456
username = sahara
auth_url = http://192.168.6.91:35357
auth_plugin = password

  I'm really confused, these configurations all looks very similar.

2. More other configurations must be set ?
Such as: 
[DEFAULT]
   use_identity_api_v3= True


Thanks.
-chen


-Original Message-
From: michael mccune [mailto:m...@redhat.com] 
Sent: Friday, June 26, 2015 8:55 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Sahara] Why Sahara request user to give 
username/password for accessing the job binary in Swift ?

On 06/25/2015 09:54 PM, Li, Chen wrote:
> Thanks for the reply.
>
> My puzzle here is :
>   I create containers & objects by my own, why other users can access 
> them ?
>
> As mentioned in your article[1], the domain " sahara_proxy" is created by 
> user "admin" in project "openstack".
> But I'm working under user "demo" in project "demo", and other people are in 
> other project with other users.

those are good questions Chen.

to address your puzzle, if you create containers/objects in your own project 
then others cannot access them without your credentials. but keep in mind that 
any user in your project can also view those objects.

there are 2 main reasons we created the proxy domain feature

1. increase security. by using proxy domains, sahara is not responsible for 
storing a user's credentials in its database, or distributing them to the nodes 
of the cluster.

2. convenience. when creating several job binaries and data sources you will 
need to enter credentials for each one. this is not necessary with the proxy 
domain usage.


with that being said, it may not be a feature that fits well with your usage 
pattern.

as to the question about "admin" project versus "demo" project, the domain is 
an extra layer of scoping that can be applied to tokens. it does not map 1:1 
with projects as it is at a different layer than the project scoping. so, it is 
possible to have users from different domains accessing the same project, in 
this case by using trusts.

on the security issue, using proxy users also helps to create another layer of 
separation in the event that an intruder were able to gain the credentials 
stored in sahara or on the cluster nodes.

for example, if not using proxy domains, a user will store their credentials in 
sahara's database to access their objects. if an intruder learns this 
information they will have access to everything that the user does. but, if 
using proxy domains then the only credentials to be gained are those of the 
proxy user which has its permissions limited by the trust. additionally the 
trust will be removed when the job is complete.

i hope this clears things up =)

regards,
mike

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Sahara] Why Sahara request user to give username/password for accessing the job binary in Swift ?

[michael mccune]

On 06/25/2015 09:54 PM, Li, Chen wrote:

Thanks for the reply.

My puzzle here is :
I create containers & objects by my own, why other users can access 
them ?

As mentioned in your article[1], the domain " sahara_proxy" is created by user "admin" in 
project "openstack".
But I'm working under user "demo" in project "demo", and other people are in 
other project with other users.


those are good questions Chen.

to address your puzzle, if you create containers/objects in your own 
project then others cannot access them without your credentials. but 
keep in mind that any user in your project can also view those objects.


there are 2 main reasons we created the proxy domain feature

1. increase security. by using proxy domains, sahara is not responsible 
for storing a user's credentials in its database, or distributing them 
to the nodes of the cluster.


2. convenience. when creating several job binaries and data sources you 
will need to enter credentials for each one. this is not necessary with 
the proxy domain usage.



with that being said, it may not be a feature that fits well with your 
usage pattern.


as to the question about "admin" project versus "demo" project, the 
domain is an extra layer of scoping that can be applied to tokens. it 
does not map 1:1 with projects as it is at a different layer than the 
project scoping. so, it is possible to have users from different domains 
accessing the same project, in this case by using trusts.


on the security issue, using proxy users also helps to create another 
layer of separation in the event that an intruder were able to gain the 
credentials stored in sahara or on the cluster nodes.


for example, if not using proxy domains, a user will store their 
credentials in sahara's database to access their objects. if an intruder 
learns this information they will have access to everything that the 
user does. but, if using proxy domains then the only credentials to be 
gained are those of the proxy user which has its permissions limited by 
the trust. additionally the trust will be removed when the job is complete.


i hope this clears things up =)

regards,
mike

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Sahara] Why Sahara request user to give username/password for accessing the job binary in Swift ?

[Li, Chen]

Thanks for the reply.

My puzzle here is :
I create containers & objects by my own, why other users can access 
them ?

As mentioned in your article[1], the domain " sahara_proxy" is created by user 
"admin" in project "openstack".
But I'm working under user "demo" in project "demo", and other people are in 
other project with other users.

Thanks.
-chen


-Original Message-
From: michael mccune [mailto:m...@redhat.com] 
Sent: Thursday, June 25, 2015 10:16 PM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [Sahara] Why Sahara request user to give 
username/password for accessing the job binary in Swift ?

hi Chen,

i agree with Sergey has said, also i have posted a small article[1] about how i 
configure proxy domains. i hope this may help clear the confusion surrounding 
this feature.

regards,
mike

[1]: 
https://elmiko.github.io/2015/06/25/configuring-sahara-with-proxy-domains.html

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Sahara] Why Sahara request user to give username/password for accessing the job binary in Swift ?

[michael mccune]

hi Chen,

i agree with Sergey has said, also i have posted a small article[1] 
about how i configure proxy domains. i hope this may help clear the 
confusion surrounding this feature.


regards,
mike

[1]: 
https://elmiko.github.io/2015/06/25/configuring-sahara-with-proxy-domains.html


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Sahara] Why Sahara request user to give username/password for accessing the job binary in Swift ?

[Sergey Lukjanov]

Hi,

Sahara doesn't have user's username and password, only user's token, that
could expire in some time. The simplest installation requires you to
specify credentials explicitly, but you could configure Sahara to access
Swift using proxy user and trusts, more info in docs -
http://docs.openstack.org/developer/sahara/userdoc/advanced.configuration.guide.html#object-storage-access-using-proxy-users

In this case, you don't need to specify credentials at all, Sahara will
create a trust for you and will use it to grant needed permissions to
automatically created user, that will be passed to Hadoop cluster to be
used to access data in Swift.

Thanks.

On Thu, Jun 25, 2015 at 12:10 PM, Li, Chen  wrote:

>  Hi Sahara,
>
>
>
> I’m working under UI.
>
> I have a tenant “demo”, with two users:  admin(role = admin) &  demo.
>
> I’m working as user “demo”.
>
>
>
> When I try to create a datasource, it ask me to add username and password
> for swift.
>
>
>
> My question is:
>
> Why Sahara didn’t use current username(“demo”) and password to access
> swift directly ? Like it access keystone/Heat/Glance and other services ?
>
>
>
> And, how the proxy user works?
>
> I’m really confusing about this:
> http://docs.openstack.org/developer/sahara/userdoc/advanced.configuration.guide.html#object-storage-access-using-proxy-users
>
>
>
> Thanks.
>
> -chen
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Sincerely yours,
Sergey Lukjanov
Sahara Technical Lead
(OpenStack Data Processing)
Principal Software Engineer
Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Sahara] Why Sahara request user to give username/password for accessing the job binary in Swift ?

[Li, Chen]

Hi Sahara,

I'm working under UI.
I have a tenant "demo", with two users:  admin(role = admin) &  demo.
I'm working as user "demo".

When I try to create a datasource, it ask me to add username and password for 
swift.

My question is:
Why Sahara didn't use current username("demo") and password to access swift 
directly ? Like it access keystone/Heat/Glance and other services ?

And, how the proxy user works?
I'm really confusing about 
this:http://docs.openstack.org/developer/sahara/userdoc/advanced.configuration.guide.html#object-storage-access-using-proxy-users

Thanks.
-chen

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev