Description of problem: If an admin want to configure heketi's password, the CNS solution should respect that configuration and should spawn heketi pod with that password. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I am not sure If it is not documented. This option is already provided. Heketi allows two passwords or secrets to be set: 1) For general user, password has to be set here. HEKETI_USER_KEY # oc process heketi -v HEKETI_USER_KEY "password" | oc create -f when accessing from heketi-cli, do # heketi-cli --user user --secret password --server http://localhost:8080 topology info 2) For admin user, password has to be set here. HEKETI_ADMIN_KEY # oc process heketi -v HEKETI_ADMIN_KEY "password" | oc create -f when accessing from heketi-cli, do # heketi-cli --user admin --secret password --server http://localhost:8080 topology info ###################### In heketi perspective: admin: Has access to all APIs user: Has access to only Volume APIs ###################### We do not have a configuration support in cns-deploy. We can do that. Is this what is expected? Or am I missing something?
These are placed as environmental variable in the rhgs-volmanager container space and then consumed by heketi. Refer: https://github.com/heketi/heketi/blob/master/main.go#L69
(In reply to Mohamed Ashiq from comment #2) > I am not sure If it is not documented. This option is already provided. > > Heketi allows two passwords or secrets to be set: > > 1) For general user, password has to be set here. > > HEKETI_USER_KEY > > # oc process heketi -v HEKETI_USER_KEY "password" | oc create -f > > when accessing from heketi-cli, do > > # heketi-cli --user user --secret password --server http://localhost:8080 > topology info > > 2) For admin user, password has to be set here. > > HEKETI_ADMIN_KEY > > # oc process heketi -v HEKETI_ADMIN_KEY "password" | oc create -f > > when accessing from heketi-cli, do > > # heketi-cli --user admin --secret password --server http://localhost:8080 > topology info > > ###################### > In heketi perspective: > > admin: Has access to all APIs > user: Has access to only Volume APIs > > ###################### > > We do not have a configuration support in cns-deploy. We can do that. > > Is this what is expected? Or am I missing something? Ashiq, exactly, this support is not available in cns-deploy so admin dont have a way to specify this in any way as our deployment is handled via cns-deploy.
Patch Upstream for the same: https://github.com/gluster/gluster-kubernetes/pull/205
Heketi supports two types of users: 1) Admin - can access all API's 2) User - can access only volume API's admin key is a secret, set for the admin access of heketi service. similar is the user key. With this fix cns-deploy will allow you to configure the secrets for both admin and user of heketi service. Syntax: # cns-deploy --admin-key <Key> --user-key <Key> topology.file Example: # cns-deploy --admin-key MySecret --user-key MyOwnSecret topology.json After deployment: ################################################################## For ADMIN KEY verification # heketi-cli --server <RESTurl> --user admin --secret MySecret topology info Without user and secret authentication will fail. You can also set the username and key in environmental variable just like RESTurl //Server export HEKETI_CLI_SERVER=http://path //User export HEKETI_CLI_USER=admin //secret export HEKETI_CLI_KEY=MySecret # heketi-cli topology info This will internally use the environmental variables. ################################################################## For USER KEY verification # heketi-cli --server <RESTurl> --user user --secret MyOwnSecret volume list Without user and secret authentication will fail. This user can access only volume API so only volume commands. You can also set the username and key in environmental variable just like RESTurl //Server export HEKETI_CLI_SERVER=http://path //User export HEKETI_CLI_USER=user //secret export HEKETI_CLI_KEY=MyOwnSecret # heketi-cli volume list This will internally use the environmental variables. ################################################################## Let me know If you need anything. We will add this in our next build.
Moving it to Verified
Hi Ashiq, I have edited the doc text for the errata. Can you please verify the same and let me know if further changes needs to be made.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1112