Page MenuHomePhabricator
Create Task
Maniphest T104588

Give 'novaobserver' keystone account rights to read everything, everywhere, write or change nothing
Closed, ResolvedPublic
Actions

Description

It's fairly straightforward to create an 'observer' role and edit the policy.json files to allow it to read things.

In Icehouse, though, roles are per-project which means we'd have to add the novaobserver user and role to every project and every newly created project.

In Kilo (or Liberty?) there are keystone 'domains' that allow privs to be assigned to groups of projects. So, deferring this pending an OpenStack upgrade.

Details

SubjectRepoBranchLines +/-
Update keystone policy.json to allow the 'observer' role to observe.operations/puppetproduction+5 -3
Openstack: Added a custom keystone/policy.jsonoperations/puppetproduction+205 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT138150 Purge stale data from LDAP
 ResolvedAndrewT148781 Clean up ldap host entries and references
 ResolvedKrenairT108625 Remove reliance on ldap $::projectid from shinkengen
 ResolvedAndrewT42022 Add icinga checks for all nova, glance, and keystone related services
 OpenNoneT90784 Monitor nova-scheduler log for lost contact with compute nodes
 ResolvedAndrewT104575 Don't rely on wikitech API for production services
 ResolvedAndrewT104588 Give 'novaobserver' keystone account rights to read everything, everywhere, write or change nothing
 ResolvedAndrewT104586 upgrade to Openstack Kilo
 ResolvedAndrewT104587 Upgrade Labs to Openstack Juno
 ResolvedAndrewT90821 Upgrade labs cluster to Trusty
 ResolvedAndrewT90822 Upgrade Labs Compute nodes to Trusty
 ResolvedAndrewT90823 Upgrade labs network node to trusty
 ResolvedAndrewT99701 Setup/Install/Deploy labnet1002
 ResolvedRobHT98740 labnet1002
 Resolved CmjohnsonT99702 relocate WMF3153 (now labnet1002) from row C to B
 Resolved CmjohnsonT102131 check labnet1002 for pci slot space
 ResolvedAndrewT109329 Try to fail over to labnet1002
 ResolvedAndrewT109653 move nova api to labnet1002
 ResolvedAndrewT90824 Upgrade labs controller to Trusty
 ResolvedAndrewT98226 Glance image files are only stored on virt1000
 DeclinedNoneT115026 Support a multi-domain model in keystone
 ResolvedAndrewT115027 switch to keystone api v3
 ResolvedAndrewT115029 Move project membership/assignment from ldap to keystone mysql
 ResolvedAndrewT117610 Make designate able to pull the project name from a project ID
 ResolvedAndrewT126765 Lock down access for new keystone role model

Event Timeline

Andrew created this task.Jul 2 2015, 5:02 PM
Andrew claimed this task.
Andrew raised the priority of this task from to Needs Triage.
Andrew updated the task description. (Show Details)
Andrew added projects: Cloud-VPS, Cloud-Services.
Andrew added a subtask: T104586: upgrade to Openstack Kilo.
Andrew added subscribers: Krenair, yuvipanda, Aklapper, Andrew.
Andrew added a comment.Jul 2 2015, 5:30 PM

Apparently "@" in a policy file allows universal access.

Andrew added a parent task: T90784: Monitor nova-scheduler log for lost contact with compute nodes.Jul 14 2015, 3:56 PM
Andrew triaged this task as Medium priority.Jul 14 2015, 5:25 PM
Andrew set Security to None.
yuvipanda added a comment.Jul 14 2015, 5:25 PM

w00t!

Andrew added a parent task: T108625: Remove reliance on ldap $::projectid from shinkengen.Aug 10 2015, 8:51 PM
Andrew closed subtask T104586: upgrade to Openstack Kilo as Resolved.Sep 21 2015, 4:27 PM
Andrew added a project: labs-sprint-117.Oct 2 2015, 2:56 PM
gerritbot subscribed.Oct 7 2015, 5:48 PM

Change 244215 had a related patch set uploaded (by Andrew Bogott):
Openstack: Added a custom keystone/policy.json

https://gerrit.wikimedia.org/r/244215

gerritbot added a project: Patch-For-Review.Oct 7 2015, 5:48 PM
gerritbot added a comment.Oct 7 2015, 5:51 PM

Change 244215 merged by Andrew Bogott:
Openstack: Added a custom keystone/policy.json

https://gerrit.wikimedia.org/r/244215

Andrew mentioned this in rOPUPa2c22e4ba507: Openstack: Added a custom keystone/policy.json.Oct 7 2015, 5:52 PM
Andrew added a comment.Oct 7 2015, 6:29 PM

I just upgraded us to keystone v3 api, which should allow us to use domains.

Andrew added a comment.Oct 8 2015, 4:49 PM

...and... downgraded.

Andrew moved this task from To do to Code Review/Blocked on the labs-sprint-117 board.Oct 26 2015, 3:27 PM
gerritbot added a comment.Nov 4 2015, 10:57 PM

Change 251151 had a related patch set uploaded (by Andrew Bogott):
Update keystone policy.json to allow the 'observer' role to observe.

https://gerrit.wikimedia.org/r/251151

gerritbot added a comment.Nov 5 2015, 12:33 AM

Change 251151 merged by Andrew Bogott:
Update keystone policy.json to allow the 'observer' role to observe.

https://gerrit.wikimedia.org/r/251151

Andrew added a comment.Nov 9 2015, 5:46 PM

Note that I plan to make the creds for this user 100% public.

Andrew removed Andrew as the assignee of this task.Nov 16 2015, 5:52 PM
AlexMonk-WMF subscribed.Aug 15 2016, 2:57 AM

Would we want to allow labs instances to access keystone (or even designate)? Note that we currently allow them to connect to nova-api, though I don't think it'll let them do much without keystone access.

AlexMonk-WMF mentioned this in T143136: Dump instance info as a static file updated periodically.Nov 6 2016, 8:54 AM
Andrew closed subtask T115026: Support a multi-domain model in keystone as Declined.Jan 17 2017, 8:04 PM
Andrew closed this task as Resolved.Jan 17 2017, 8:06 PM
Andrew claimed this task.

This works!

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL