Bug 1042161

Summary: [RFE][heat]: Domain isolated users for in-instance credentials
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: openstack-heatAssignee: RHOS Maint <rhos-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Amit Ugol <augol>
Severity: high Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ajeain, markmc, mlopes, sbaker, sdake, shardy, yeylon
Target Milestone: gaKeywords: FutureFeature
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/heat/+spec/instance-users
Whiteboard: upstream_milestone_icehouse-rc1 upstream_status_implemented upstream_definition_approved
Fixed In Version: Doc Type: Enhancement
Doc Text:
This enhancement removes the requirement of an Authentication user for in-instance credentials. As a result, security is improved, and auto-scaling and waitconditions are available for non-administrative users. This behavioral change is expected to be transparent to the user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-22 19:09:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 21:14:29 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/heat/+spec/instance-users.

Description:

Currently we create a new keystone user for every WaitConditionHandle resource, and every User/AccessKey resource - this is clearly suboptimal and doesn't scale, so we need to figure out a better way, working with the keystone devs as I'm fairly sure we'll need some new keystone features to do this better (maybe the ability to create ec2 keypairs from a trust token, and the ability to create implicitly unprivileged identities based on trusts) 

Specification URL (additional information):

None
Comment 4 Steven Hardy 2014-04-09 13:17:22 UTC 
Updating title as the upstream BP title/description changed after this was raised:

Currently we create a new keystone user for every WaitConditionHandle resource, and every User/AccessKey resource, in the same tenant/project as the stack owning user.

We need to remove the requirement to be a keystone admin (which is required to create the users)
while still providing users who are not directly associated with the stack owning user (to limit the impact in the event of a compromised instance), so create these users in a separate heat specific
domain (as the heat service user). This still provides the necessary isolation but avoids the requirement to create users in the real user domain.

This could also provide a solution to the requirement for ec2 signed requests (which we don't want for native resources), e.g initially by deploying the username and a randomly generated password and in future maybe x509 certificates.

Also see https://wiki.openstack.org/wiki/Heat/Blueprints/InstanceUsers, option (2) is what has been implemented.
Comment 5 Steven Hardy 2014-05-27 08:28:39 UTC 
Related bugs for additional context:

Packstack updates:

https://bugzilla.redhat.com/show_bug.cgi?id=1076172

Docs updates:

https://bugzilla.redhat.com/show_bug.cgi?id=1076611