Re: [openstack-dev] [Sahara] Questions about how Sahara use trust ?
On 07/13/2015 09:40 PM, Li, Chen wrote: Hi mike, Thanks, this is very helpful. Summary: 1. The purpose of admin user proxy user are the same = to work without user's own username password. sort of, the proxy user is to work without the user's credentials, whereas the admin user needs a trust to operate on the user's project resources (clusters). 2. For transient cluster, what sahara need is to be able to operate. correct. 3. For swift access , using user's own credentials is not safe. Because the credentials is not used by sahara only, it will appear in user space (on the cluster nodes) at end. Using admin user is silly, doesn't gain any benefit, but create a more huge risk. correct. = proxy user must(better to) use proxy user, for security reason. = transient cluster can work both way, but proxy user introduce extra effect which is not nessary, so admin user is enough. i would say that is accurate. mike __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Sahara] Questions about how Sahara use trust ?
On 07/12/2015 09:45 PM, Li, Chen wrote: Hi Andrew, Thanks for the reply. Are you mean : 1. admin user is used by transient cluster is mainly to make it work. 2. The proxy user is the more secure way to do the same thing. Should we use proxy user at all situation then ? Should this be a bp or just a bug ? Thanks. -chen hi chen, i think the trusts for the transient clusters serve a different purpose than those for the swift access. in the case of the swift proxy users, this is a security enhancement for us because in order for hadoop jobs to access swift they must use a set of credentials that are written to the workflow properties for the job. for example, for hadoop-swift.jar to access swift it must have values for: fs.swift.service.sahara.username and fs.swift.service.sahara.password we wanted to avoid having the user enter their name and password into the data source dialog, storing those values in our database, and then having those values written out to a file on the nodes. to get around this, we created the proxy user whose permissions are limited to the trust and their accounts will expire when the job is finished. in this manner, we limit the vulnerable information that is stored on the nodes. i hope that makes sense, but please ask more if it does not =) mike __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Sahara] Questions about how Sahara use trust ?
Hi mike, Thanks, this is very helpful. Summary: 1. The purpose of admin user proxy user are the same = to work without user's own username password. 2. For transient cluster, what sahara need is to be able to operate. 3. For swift access , using user's own credentials is not safe. Because the credentials is not used by sahara only, it will appear in user space (on the cluster nodes) at end. Using admin user is silly, doesn't gain any benefit, but create a more huge risk. = proxy user must(better to) use proxy user, for security reason. = transient cluster can work both way, but proxy user introduce extra effect which is not nessary, so admin user is enough. Thanks. -chen -Original Message- From: michael mccune [mailto:m...@redhat.com] Sent: Tuesday, July 14, 2015 5:25 AM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Sahara] Questions about how Sahara use trust ? On 07/12/2015 09:45 PM, Li, Chen wrote: Hi Andrew, Thanks for the reply. Are you mean : 1. admin user is used by transient cluster is mainly to make it work. 2. The proxy user is the more secure way to do the same thing. Should we use proxy user at all situation then ? Should this be a bp or just a bug ? Thanks. -chen hi chen, i think the trusts for the transient clusters serve a different purpose than those for the swift access. in the case of the swift proxy users, this is a security enhancement for us because in order for hadoop jobs to access swift they must use a set of credentials that are written to the workflow properties for the job. for example, for hadoop-swift.jar to access swift it must have values for: fs.swift.service.sahara.username and fs.swift.service.sahara.password we wanted to avoid having the user enter their name and password into the data source dialog, storing those values in our database, and then having those values written out to a file on the nodes. to get around this, we created the proxy user whose permissions are limited to the trust and their accounts will expire when the job is finished. in this manner, we limit the vulnerable information that is stored on the nodes. i hope that makes sense, but please ask more if it does not =) mike __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Sahara] Questions about how Sahara use trust ?
Hi Andrew, Thanks for the reply. Are you mean : 1. admin user is used by transient cluster is mainly to make it work. 2. The proxy user is the more secure way to do the same thing. Should we use proxy user at all situation then ? Should this be a bp or just a bug ? Thanks. -chen From: Andrew Lazarev [mailto:alaza...@mirantis.com] Sent: Friday, July 10, 2015 11:39 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Sahara] Questions about how Sahara use trust ? Hi Chen, As I remember, proxy users were added for security reasons. When one user creates cluster in Sahara he should not get access to data of other users. Thanks, Andrew. On Thu, Jul 9, 2015 at 11:12 PM, Li, Chen chen...@intel.commailto:chen...@intel.com wrote: Hi Sahara guys, When sahara create a transient cluster, it create a trust with sahara admin user. https://github.com/openstack/sahara/blob/master/sahara/service/ops.py#L239-L240 https://github.com/openstack/sahara/blob/master/sahara/service/trusts.py#L79 When sahara deal with swift, it create a trust too, but : sahara admin user = create a proxy domain = set in sahara.conf = sahara create proxy user in the domain. = create a trust with the proxy user. https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L110 https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L265 My questions are : Why not user proxy user for transient cluster ? Or, why a proxy user is needed for swift but not use sahara admin user directly ? Looking forward to your reply. Thanks. -chen __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribehttp://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Sahara] Questions about how Sahara use trust ?
Hi Sahara guys, When sahara create a transient cluster, it create a trust with sahara admin user. https://github.com/openstack/sahara/blob/master/sahara/service/ops.py#L239-L240 https://github.com/openstack/sahara/blob/master/sahara/service/trusts.py#L79 When sahara deal with swift, it create a trust too, but : sahara admin user = create a proxy domain = set in sahara.conf ð sahara create proxy user in the domain. ð create a trust with the proxy user. https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L110 https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L265 My questions are : Why not user proxy user for transient cluster ? Or, why a proxy user is needed for swift but not use sahara admin user directly ? Looking forward to your reply. Thanks. -chen __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Sahara] Questions about how Sahara use trust ?
Hi Chen, As I remember, proxy users were added for security reasons. When one user creates cluster in Sahara he should not get access to data of other users. Thanks, Andrew. On Thu, Jul 9, 2015 at 11:12 PM, Li, Chen chen...@intel.com wrote: Hi Sahara guys, When sahara create a transient cluster, it create a trust with sahara admin user. https://github.com/openstack/sahara/blob/master/sahara/service/ops.py#L239-L240 https://github.com/openstack/sahara/blob/master/sahara/service/trusts.py#L79 When sahara deal with swift, it create a trust too, but : sahara admin user = create a proxy domain = set in sahara.conf ð sahara create proxy user in the domain. ð create a trust with the proxy user. https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L110 https://github.com/openstack/sahara/blob/master/sahara/utils/proxy.py#L265 My questions are : Why not user proxy user for transient cluster ? Or, why a proxy user is needed for swift but not use sahara admin user directly ? Looking forward to your reply. Thanks. -chen __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev