Bug 976394
Summary: | [RFE] Put the keystonerc_admin file in the current working directory for --all-in-one installs (or where client machine is same as local) | ||
---|---|---|---|
Product: | [Community] RDO | Reporter: | Perry Myers <pmyers> |
Component: | openstack-packstack | Assignee: | Martin Magr <mmagr> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | yeylon <yeylon> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aortega, derekh, mmagr, sandro, sclewis, srevivo, swadeley |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-packstack-2013.2.1-0.11.dev806.el6 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-30 23:06:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 990590, 990591 | ||
Bug Blocks: |
Description
Perry Myers
2013-06-20 13:36:47 UTC
Also note, special consideration may need to be taken while writing out the second rc file if the current directory is world read or writeable. How about ensuring that the file is owned by the current user running packstack and is set to 600 perms? How about writing the file only once (in /root) and creating a symlink to it? Perry, if the idea here is to let the user source keystone_rc form current directory, maybe we would want to to have a script in user's $PATH sourcing keystone_rc ? Putting keystone_rc to the directory where the user executes PackStack from could be a security risk as it contains customers' sensitive information. Arthur (In reply to Arthur Berezin from comment #4) > Perry, if the idea here is to let the user source keystone_rc form current > directory, maybe we would want to to have a script in user's $PATH sourcing > keystone_rc ? > Putting keystone_rc to the directory where the user executes PackStack from > could be a security risk as it contains customers' sensitive information. Let me walk through what users have to do today, and you can see that this is just simply a convenience to eliminate a lot of confusion. 1. Run packstack from non-root user 2. sudo cp /root/keystonerc_demo /root/keystonerc_admin . 3. source keystonerc_admin Alternatively, the user needs to always perform 'user' operations by su'ing to root first, which is itself not a good idea. The reason why I suggested this was because we were seeing a lot of questions like "I installed via packstack but I don't know where my rc files are?" even though we print out the location in the packstack output :) Again, this is only for --allinone installs which by definition are for hobbyists, demos or PoCs. The passwords in these rc files for an allinone install would be randomly generated, and all services are on a single box, so I don't think there is really any risk of exposing company secrets. We would of course want to use as restrictive a umask as possible for the file (600 probably) For PoCs/Allinones/Hobbyists/Demos this would be a good solution. My feedback here is that most openstack deployment would be carried by Linux guys, sourcing a credentials file wouldn't be the "standard" Linux way of gaining permissions and ability to execute admin commands. I'm suggesting to have a command line tool, that would be under users' path, to gain openstack admin/user credential, something like "chroot", chopenstack or chos maybe ? (In reply to Arthur Berezin from comment #6) > For PoCs/Allinones/Hobbyists/Demos this would be a good solution. > > My feedback here is that most openstack deployment would be carried by Linux > guys, sourcing a credentials file wouldn't be the "standard" Linux way of > gaining permissions and ability to execute admin commands. > I'm suggesting to have a command line tool, that would be under users' path, > to gain openstack admin/user credential, something like "chroot", > chopenstack or chos maybe ? That's a much larger issue. Sourcing an rc file is the standard way of getting permissions in upstream OpenStack. Packstack is just mirroring what the upstream method is. (In reply to Perry Myers from comment #5) > (In reply to Arthur Berezin from comment #4) <snip> > > The reason why I suggested this was because we were seeing a lot of > questions like "I installed via packstack but I don't know where my rc files > are?" even though we print out the location in the packstack output :) > Hello, does the script actually test to see if the rc files *were* created? I just ran `--allinone` and it had two errors, but still printed out the message: File /root/keystonerc_admin has been created on OpenStack client host 1.2.3.4 (where 1.2.3.4 is the IP address of my host) yet I cannot find the file. Happy to file new bug if required. Thank you Message is created and added to final messages when Puppet manifest is created. If packstack fails before the manifest is run, then file won't be created and message will still be printed. Feel free to file new bug. (In reply to Martin Magr from comment #11) > Message is created and added to final messages when Puppet manifest is > created. If packstack fails before the manifest is run, then file won't be > created and message will still be printed. Feel free to file new bug. Bug 1269535 - packstack script does not test to see if the rc files *were* created. Thank you |