Bug 1430859 - Make heketi credentials a configurable value in CNS
Summary: Make heketi credentials a configurable value in CNS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: cns-deploy-tool
Version: cns-3.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: CNS 3.5
Assignee: Mohamed Ashiq
QA Contact: Tejas Chaphekar
URL:
Whiteboard:
Depends On:
Blocks: 1415600
TreeView+ depends on / blocked
 
Reported: 2017-03-09 17:45 UTC by Humble Chirammal
Modified: 2019-02-13 09:40 UTC (History)
9 users (show)

Fixed In Version: cns-deploy-4.0.0-7.el7rhgs
Doc Type: Enhancement
Doc Text:
Previously, there was no option to set the heketi admin user secret when deploying Container Native Storage. With this release, administrators now have an option to create a secret that will be used for authentication for accessing Heketi. CNS-deploy now allows to set the secret for the heketi "admin" user for volmanager (heketi container) which is created in the deployment process.
Clone Of:
: 1441708 (view as bug list)
Environment:
Last Closed: 2017-04-20 18:27:20 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1406344 unspecified CLOSED [cns-deploy] When using service account, No need to specify the Namespace in oc process for heketi deployment 2020-10-14 00:28:05 UTC
Red Hat Product Errata RHEA-2017:1112 normal SHIPPED_LIVE cns-deploy-tool bug fix and enhancement update 2017-04-20 22:25:47 UTC

Internal Links: 1406344

Description Humble Chirammal 2017-03-09 17:45:47 UTC
Description of problem:

If an admin want to configure heketi's password, the CNS solution should respect that configuration and should spawn heketi pod with that password. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Mohamed Ashiq 2017-03-10 06:39:06 UTC
I am not sure If it is not documented. This option is already provided.

Heketi allows two passwords or secrets to be set:

1) For general user, password has to be set here.

HEKETI_USER_KEY

# oc process heketi -v HEKETI_USER_KEY "password" | oc create -f

when accessing from heketi-cli, do 

# heketi-cli --user user --secret password --server http://localhost:8080 topology info

2) For admin user, password has to be set here.

HEKETI_ADMIN_KEY

# oc process heketi -v HEKETI_ADMIN_KEY "password" | oc create -f

when accessing from heketi-cli, do 

# heketi-cli --user admin --secret password --server http://localhost:8080 topology info

######################
In heketi perspective:

admin: Has access to all APIs
user: Has access to only Volume APIs

######################

We do not have a configuration support in cns-deploy. We can do that.

Is this what is expected? Or am I missing something?

Comment 3 Mohamed Ashiq 2017-03-10 06:40:41 UTC
These are placed as environmental variable in the rhgs-volmanager container space and then consumed by heketi.

Refer: https://github.com/heketi/heketi/blob/master/main.go#L69

Comment 4 Humble Chirammal 2017-03-10 10:43:52 UTC
(In reply to Mohamed Ashiq from comment #2)
> I am not sure If it is not documented. This option is already provided.
> 
> Heketi allows two passwords or secrets to be set:
> 
> 1) For general user, password has to be set here.
> 
> HEKETI_USER_KEY
> 
> # oc process heketi -v HEKETI_USER_KEY "password" | oc create -f
> 
> when accessing from heketi-cli, do 
> 
> # heketi-cli --user user --secret password --server http://localhost:8080
> topology info
> 
> 2) For admin user, password has to be set here.
> 
> HEKETI_ADMIN_KEY
> 
> # oc process heketi -v HEKETI_ADMIN_KEY "password" | oc create -f
> 
> when accessing from heketi-cli, do 
> 
> # heketi-cli --user admin --secret password --server http://localhost:8080
> topology info
> 
> ######################
> In heketi perspective:
> 
> admin: Has access to all APIs
> user: Has access to only Volume APIs
> 
> ######################
> 
> We do not have a configuration support in cns-deploy. We can do that.
> 
> Is this what is expected? Or am I missing something?

Ashiq, exactly, this support is not available in cns-deploy so admin dont have a way to specify this in any way as our deployment is handled via cns-deploy.

Comment 5 Mohamed Ashiq 2017-03-22 11:17:34 UTC
Patch Upstream for the same:

https://github.com/gluster/gluster-kubernetes/pull/205

Comment 9 Mohamed Ashiq 2017-03-24 11:16:11 UTC
Heketi supports two types of users:
1) Admin - can access all API's
2) User - can access only volume API's

admin key is a secret, set for the admin access of heketi service. similar is the user key.


With this fix cns-deploy will allow you to configure the secrets for both admin and user of heketi service.

Syntax:
# cns-deploy --admin-key <Key> --user-key <Key> topology.file

Example:
# cns-deploy --admin-key MySecret --user-key MyOwnSecret topology.json

After deployment:
##################################################################
For ADMIN KEY verification

# heketi-cli --server <RESTurl> --user admin --secret MySecret topology info

Without user and secret authentication will fail. 

You can also set the username and key in environmental variable just like RESTurl

//Server
export HEKETI_CLI_SERVER=http://path

//User 
export HEKETI_CLI_USER=admin

//secret
export HEKETI_CLI_KEY=MySecret

# heketi-cli topology info

This will internally use the environmental variables.

##################################################################

For USER KEY verification

# heketi-cli --server <RESTurl> --user user --secret MyOwnSecret volume list

Without user and secret authentication will fail. This user can access only volume API so only volume commands.

You can also set the username and key in environmental variable just like RESTurl

//Server
export HEKETI_CLI_SERVER=http://path

//User 
export HEKETI_CLI_USER=user

//secret
export HEKETI_CLI_KEY=MyOwnSecret

# heketi-cli volume list

This will internally use the environmental variables.

##################################################################

Let me know If you need anything. We will add this in our next build.

Comment 13 Prasanth 2017-04-12 13:55:56 UTC
Moving it to Verified

Comment 15 Bhavana 2017-04-18 07:29:16 UTC
Hi Ashiq,

I have edited the doc text for the errata. Can you please verify the same and let me know if further changes needs to be made.

Comment 16 errata-xmlrpc 2017-04-20 18:27:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1112


Note You need to log in before you can comment on or make changes to this bug.