Bug 2027849

Summary: [RFE] REST APIs for ODF Noobaa accounts credential management
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Ivan Bodunov <ibodunov>
Component: Multi-Cloud Object GatewayAssignee: Liran Mauda <lmauda>
Status: CLOSED ERRATA QA Contact: Ben Eli <belimele>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.8CC: achernet, belimele, dmoessne, ebenahar, etamir, gwest, kramdoss, lmauda, mmuench, muagarwa, nbecker, nberry, ocs-bugs, odf-bz-bot, olakra, sarora
Target Milestone: ---Keywords: FutureFeature, RFE
Target Release: ODF 4.11.0Flags: ibodunov: needinfo-
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 4.11.0-66 Doc Type: Enhancement
Doc Text:
.Account credentials changeability option With this release, you have an option that you can invoke externally to change Multicloud Object Gateway (MCG) default account credentials. You can change and rotate credentials using the command line interface to prevent issues with applications. This option enables you to manage the credentials for all the service accounts in the system. For more details, see the link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.11/html-single/managing_hybrid_and_multicloud_resources/index#changing-the-default-account-credentials-to-ensure-better-security-in-the-multicloud-object-gateway_rhodf[Changing the default account credentials to ensure better security in the Multicloud Object Gateway].
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-24 13:41:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2094357    

Description Ivan Bodunov 2021-11-30 21:01:31 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

1) Customer product has a requirement to manage the credentials for all the service accounts in the system, ODF Noobaa brings admin account and bucket user accounts.
As part of product’s service accounts credential management, the product expects to change/rotate the credentials (password, access and secret keys) for these Noobaa accounts periodically or on-demand.

This requirement needs REST APIs from Noobaa for the below use cases:
a) Change the Noobaa admin account access key and secret key
b) Change the Noobaa admin account password
c) Change the Noobaa bucket account's access key and secret key

What happens if this is not implemented:

ODF Noobaa accounts credentials are stored in its internal database and also available in Kubernetes secrets.
ODF Noobaa accounts credentials can be changed from Noobaa management UI. But when credentials changed on UI, Kubernetes secrets are not getting updated, so product  applications break when credentials are changed from UI.
Additionally product’s credential management application can't offer ODF Noobaa accounts credential change functionality.

2) Customer product’s credential management also stores the service accounts credentials securely in Vault database, and provides APIs to product applications to access the credentials.
The product expects mechanism to retrieve Noobaa account credentials (password, access and secret keys) and store in its Vault database.

This requirement needs REST APIs from Noobaa for the below use cases considered alternative to OBC as bucket user credentials need to be stored:
a) create bucket with configuration like backing store pool, object versioning
b) create bucket user account with configured bucket access 
c) read user account credentials

What happens if this is not implemented:

ODF Noobaa provides OBC custom resource to create bucket, it will internally create bucket user account and stores credentials in Kubernetes secrets.
Product applications have to use Kubernetes secrets to read the credentials and persist in product’s credential management.
Creating the buckets with OBC not supporting the bucket configuration like object versioning.


Version of all relevant components (if applicable):
ODF 4.8 and newer

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
Yes

Is there any workaround available to the best of your knowledge?
No

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?


Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1.
2.
3.


Actual results:


Expected results:


Additional info:
Comment 9 Sonal 2021-12-03 09:36:11 UTC 
Hi Liran and Nimrod,

Below are the primary concerns of customer :

1. On changing noobaa admin account password from UI, the password is not updated in the noobaa-admin secret. The password should be updated in vault store and in noobaa db as well.

2. How to change the OBC secret keys. Currently, the option to regenerate credentials for OBC secret in GUI is graded out. 

Are these taken care of in the PR?

Thanks

Regards,
Sonal Arora
Comment 25 Eran Tamir 2022-02-27 08:11:51 UTC 
Ivan, we are planning to provide a KCS with CLI commands. API is not something we want to start documenting at this point in time. 
Please verify it's applicable by the customer and update the BZ accordingly.
Comment 48 Mudit Agarwal 2022-07-01 09:05:33 UTC 
Please add doc text
Comment 53 errata-xmlrpc 2022-08-24 13:41:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement & bugfix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6155
Comment 54 Red Hat Bugzilla 2023-12-08 04:26:50 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days