Page MenuHomePhabricator
Create Task
Maniphest T150092

Provide read-only access to OpenStack APIs from WMF IP space
Closed, ResolvedPublic
Actions

Description

We're moving more and more OpenStack data out of ldap and into proper OpenStack services. That's good, but it means that public ldap credentials are no longer adequate to do things like enumerate all instances in all projects. This has broken several tools -- for example, watroles.

There are a few hacks to provide this information, most obviously the 'wikitech API'. The right solution, though, is just to provide access to OpenStack APIs from within labs.

  • implement login ACLs so that labs machines can get tokens only for select users (for the time being, just novaobserver)
  • Open up firewalls, routes, etc so that labs instances can hit the non-admin Nova, Glance and Keystone APIs. (Actually the Nova api is already reachable from labs, although useless without keystone tokens)
  • Insert a 'novaobserver' account into every project
  • Provide PUBLIC username/password credentials for the novaobserver account

With this setup users will also be able to use their horizon login to manipulate projects from within Labs. I'm pretty sure that's a feature and not a bug, although it will provide a way to bypass 2fa for such operations. /Maybe/ we want to enforce 2fa for all users that aren't novaadmin or novaobserver.

Thanks to the ACLs, this means that individual user logins are still only useful when logging in from horizon or wikitech; they'll still be blocked from within Labs (and firewalled _and_ blocked from the rest of the internet). The only account that will work is novaobserver, which will not have any explicit roles set on any projects. That means that 'observer' creds can only be used to do things that are entirely unrestricted by nova or keystone policy.

Details

SubjectRepoBranchLines +/-
Add clientlib.pp and mwopenstackclients.pyoperations/puppetproduction+167 -9
Add export OS_INTERFACE=public to observerenvoperations/puppetproduction+1 -0
Keystone: refactor observerenv.shoperations/puppetproduction+62 -34
Labs hiera: Include private labs.yaml in hiera searchoperations/puppetproduction+1 -0
Add novaconfig to labs.yamloperations/puppetproduction+19 -0
Add labs.yaml to labs/privatelabs/privatemaster+6 -0
Keystone: Publish credentials for novaobserver accountlabs/privatemaster+2 -0
Designate policy: Add public read-only accessoperations/puppetproduction+26 -26
Add clientlib.pp and mwopenstackclients.pyoperations/puppetproduction+169 -9
Novaobserver: novaobserver isn't in the admin project.operations/puppetproduction+1 -1
Add $wgOpenStackHiddenUsernames global arraymediawiki/extensions/OpenStackManagermaster+9 -1
wmfkeystonehooks: Don't bother adding novaobserver to projectsoperations/puppetproduction+0 -24
Labs ldap: Hide the novaobserver account from everyone but keystoneoperations/puppetproduction+7 -0
Keystone: add 'observer' domainoperations/puppetproduction+24 -0
Labs: Add observerenv.sh, helper script for read-only credsoperations/puppetproduction+19 -0
Keystone: open up firewall to allow labs access to keystone APIoperations/puppetproduction+18 -7
Make compute:get fully publicoperations/puppetproduction+2 -2
Keystone: Make the project list publicoperations/puppetproduction+2 -2
Keystone: remove explicit observer rightsoperations/puppetproduction+0 -4
Check password/ip whitelist for wmtotp.operations/puppetproduction+6 -0
Keystone: Limit password auth to certain hosts and users.operations/puppetproduction+92 -0
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Nov 5 2016, 4:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2016, 4:15 PM
Andrew added subscribers: chasemp, yuvipanda, madhuvishy and 2 others.Nov 5 2016, 4:15 PM

cc'ing everyone because this has huge security implications and I want to make sure I'm not missing obvious problems.

Reedy added projects: wikitech.wikimedia.org, Cloud-VPS, netops.Nov 5 2016, 4:16 PM
Restricted Application added projects: SRE, Cloud-Services. · View Herald TranscriptNov 5 2016, 4:16 PM
Paladox subscribed.Nov 5 2016, 4:17 PM
bd808 added a comment.Nov 5 2016, 5:26 PM

What about using https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth ?

AlexMonk-WMF subscribed.Nov 5 2016, 7:42 PM

I'm pretty sure the Nova half of #1 is unnecessary, instances can already hit the nova API (it runs on labnet), they just can't use it due to lack of Keystone access:

krenair@bastion-01:~$ curl http://labnet1001.eqiad.wmnet:8774/v2
Authentication required
krenair@bastion-01:~$ curl -v http://labcontrol1001.wikimedia.org:5000/v3
* Hostname was NOT found in DNS cache
*   Trying 208.80.154.92...

You're right about other services, I don't have use cases for them to be hitting Glance or Designate.

We should probably disallow logins from instance IPs on usernames other than whitelisted, special-purpose accounts like novaobserver. I'm pretty sure we do NOT want individual user's LDAP passwords being exposed to labs instances (anyone's accounts, but also in a lot of cases user's LDAP passwords provide access to production sensitive data via the wmf/nda/ops LDAP groups)

AlexMonk-WMF added a comment.EditedNov 5 2016, 7:45 PM
In T150092#2774103, @AlexMonk-WMF wrote:

We should probably disallow logins from instance IPs on usernames other than whitelisted, special-purpose accounts like novaobserver. I'm pretty sure we do NOT want individual user's LDAP passwords being exposed to labs instances (anyone's accounts, but also in a lot of cases user's LDAP passwords provide access to production sensitive data via the wmf/nda/ops LDAP groups)

Actually, I'll go further: We should lock (via changing the password to something random) any user other than a whitelisted account that managed to get a successful username+password match from a labs instance IP. Then automatically notify operations/security of a potential breach along with the username and a list of their groups.

Andrew added a comment.Nov 5 2016, 8:32 PM
In T150092#2773987, @bd808 wrote:

What about using https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth ?

Can you talk me through how that would help? As I understand it, you still need the initial password in order to get the token... would we need to create a separate special-purpose service to generate delegated tokens?

And, of course, for those tokens to work we would still need to open up the firewall for API ports, right?

Andrew added a comment.Nov 5 2016, 8:33 PM
In T150092#2774119, @AlexMonk-WMF wrote:
In T150092#2774103, @AlexMonk-WMF wrote:

We should probably disallow logins from instance IPs on usernames other than whitelisted, special-purpose accounts like novaobserver. I'm pretty sure we do NOT want individual user's LDAP passwords being exposed to labs instances (anyone's accounts, but also in a lot of cases user's LDAP passwords provide access to production sensitive data via the wmf/nda/ops LDAP groups)

Actually, I'll go further: We should lock (via changing the password to something random) any user other than a whitelisted account that managed to get a successful username+password match from a labs instance IP. Then automatically notify operations/security of a potential breach along with the username and a list of their groups.

@Krenair, do you have in mind a facility for blocking account access by name and IP?

AlexMonk-WMF added a comment.Nov 5 2016, 9:21 PM
In T150092#2774144, @Andrew wrote:
In T150092#2774119, @AlexMonk-WMF wrote:
In T150092#2774103, @AlexMonk-WMF wrote:

We should probably disallow logins from instance IPs on usernames other than whitelisted, special-purpose accounts like novaobserver. I'm pretty sure we do NOT want individual user's LDAP passwords being exposed to labs instances (anyone's accounts, but also in a lot of cases user's LDAP passwords provide access to production sensitive data via the wmf/nda/ops LDAP groups)

Actually, I'll go further: We should lock (via changing the password to something random) any user other than a whitelisted account that managed to get a successful username+password match from a labs instance IP. Then automatically notify operations/security of a potential breach along with the username and a list of their groups.

@Krenair, do you have in mind a facility for blocking account access by name and IP?

Can probably usurp Keystone's own password authentication plugin, subclass it, add a check against context.remote_addr (?) in the authenticate method as well as a username whitelist, call the super method, and then add the same check to wmtotp?

AlexMonk-WMF added a comment.EditedNov 6 2016, 8:54 AM

is this a duplicate of T49515: Add access to nova's admin api?

AlexMonk-WMF mentioned this in T143136: Dump instance info as a static file updated periodically.Nov 6 2016, 8:54 AM
tom29739 subscribed.Nov 6 2016, 2:41 PM
bd808 added a comment.Nov 6 2016, 5:22 PM
In T150092#2774143, @Andrew wrote:
In T150092#2773987, @bd808 wrote:

What about using https://blueprints.launchpad.net/keystone/+spec/delegated-auth-via-oauth ?

Can you talk me through how that would help? As I understand it, you still need the initial password in order to get the token... would we need to create a separate special-purpose service to generate delegated tokens?

I haven't looked to see if there is any web frontend for OAuth that can be easily plugged into horizon for creating access tokens, but in general the point of OAuth would be use easily revoked tokens for authentication requests coming from any external application/script rather than LDAP passwords. The "With this setup users will also be able to use their horizon login to manipulate projects from within Labs." statement sounds like using LDAP passwords from within Labs which has always been highly discouraged do to the various theoretical attacks that could capture a password stored or transmitted across the Labs internal network.

And, of course, for those tokens to work we would still need to open up the firewall for API ports, right?

Yes, network access to the nova/keystone api endpoints would still be needed.

Andrew merged a task: T49515: Add access to nova's admin api.Nov 6 2016, 5:45 PM
Andrew added subscribers: bzimport, scfc, coren, JanZerebecki.
Andrew added a comment.Nov 6 2016, 6:06 PM

in general the point of OAuth would be use easily revoked tokens for
authentication requests coming from any external application/script rather than
LDAP passwords.

So... I'm sorry, I still not sure I understand. In this model, would a tool developer request that a Labs admin issue a special-purpose token, and the token would be effectively immortal until explicitly revoked?

Andrew added a comment.Nov 6 2016, 6:07 PM

Can probably usurp Keystone's own password authentication plugin, subclass
it, add a check against context.remote_addr (?) in the authenticate method as
well as a username whitelist, call the super method, and then add the same
check to wmtotp?

I recognize the wisdom of this suggestion, but I also really hate the idea of second-guessing (and rewriting) keystone's existing security model, since the whole point of keystone is to be the secure auth layer.

bd808 added a comment.Nov 6 2016, 6:33 PM
In T150092#2775006, @Andrew wrote:

in general the point of OAuth would be use easily revoked tokens for
authentication requests coming from any external application/script rather than
LDAP passwords.

So... I'm sorry, I still not sure I understand. In this model, would a tool developer request that a Labs admin issue a special-purpose token, and the token would be effectively immortal until explicitly revoked?

Ideally, Labs admins would not be involved. With a web interface (maybe in horizon?) a user should be able to self-issue a token with a controlled scope of rights. MediaWiki's OAuth has this functionality via Special:OAuthConsumerRegistration/propose's "owner only consumers". In the case of MediaWiki the tokens have no automatic expiration, but can be easily revoked via Special:OAuthManageMyGrants. It looks like the Keystone tokens may additionally have the ability to limit the token lifetime at the time of issuance although I'm not sure if using this would actually be desired by a typical consumer.

gerritbot subscribed.Nov 10 2016, 1:44 AM

Change 320706 had a related patch set uploaded (by Andrew Bogott):
Keystone: Limit password auth to certain hosts and users.

https://gerrit.wikimedia.org/r/320706

gerritbot added a project: Patch-For-Review.Nov 10 2016, 1:44 AM
Andrew added a comment.Nov 10 2016, 1:46 AM

Update -- documentation for keystone/oauth is pretty poor, and keystone has a habit of leaving partially-completed features to rot so I'm inclined to not rely on it.

The attached patch limits logins to certain accounts and ip ranges, which I think makes opening up the firewalls fairly safe. It compiles properly for labtestcontrol but not for labcontrol, which I'm not yet clear on if that's a real problem or a puppet compiler problem.

AlexMonk-WMF added a comment.Nov 10 2016, 3:00 AM
In T150092#2784615, @Andrew wrote:

It compiles properly for labtestcontrol but not for labcontrol, which I'm not yet clear on if that's a real problem or a puppet compiler problem.

http://puppet-compiler.wmflabs.org/4575/labcontrol1001.wikimedia.org/change.labcontrol1001.wikimedia.org.err

Error: Failed to parse template openstack/liberty/keystone/keystone.conf.erb:
  Filepath: /mnt/jenkins-workspace/puppet-compiler/4575/change/src/modules/openstack/templates/liberty/keystone/keystone.conf.erb
  Line: 418
  Detail: undefined method `each' for nil:NilClass
 at /mnt/jenkins-workspace/puppet-compiler/4575/change/src/modules/openstack/manifests/keystone/service.pp:25 on node labcontrol1001.wikimedia.org

https://gerrit.wikimedia.org/r/#/c/320706/2/modules/openstack/templates/liberty/keystone/keystone.conf.erb

Maybe it needs a require network::constants before the template() or something?

Andrew added a comment.Nov 10 2016, 3:20 AM

Maybe it needs a require network::constants before the template() or something?

Yep, fixed by changing the erb lookup.

gerritbot added a comment.Nov 10 2016, 3:32 PM

Change 320787 had a related patch set uploaded (by Andrew Bogott):
Keystone: open up firewall for public keystone API

https://gerrit.wikimedia.org/r/320787

gerritbot added a comment.Nov 10 2016, 3:53 PM

Change 320791 had a related patch set uploaded (by Andrew Bogott):
Check password/ip whitelist for wmtotp.

https://gerrit.wikimedia.org/r/320791

gerritbot added a comment.Nov 10 2016, 7:14 PM

Change 320825 had a related patch set uploaded (by Andrew Bogott):
Keystone: remove explicit observer rights

https://gerrit.wikimedia.org/r/320825

gerritbot added a comment.Nov 10 2016, 7:14 PM

Change 320826 had a related patch set uploaded (by Andrew Bogott):
Keystone: Make the project list public

https://gerrit.wikimedia.org/r/320826

gerritbot added a comment.Nov 10 2016, 7:14 PM

Change 320827 had a related patch set uploaded (by Andrew Bogott):
Make compute:get fully public

https://gerrit.wikimedia.org/r/320827

gerritbot added a comment.Nov 10 2016, 7:22 PM

Change 320830 had a related patch set uploaded (by Andrew Bogott):
Labs: Add observerenv.sh, helper script for read-only creds

https://gerrit.wikimedia.org/r/320830

gerritbot added a comment.Nov 15 2016, 9:09 PM

Change 320706 merged by Andrew Bogott:
Keystone: Limit password auth to certain hosts and users.

https://gerrit.wikimedia.org/r/320706

gerritbot added a comment.Nov 15 2016, 9:16 PM

Change 320791 merged by Andrew Bogott:
Check password/ip whitelist for wmtotp.

https://gerrit.wikimedia.org/r/320791

Andrew updated the task description. (Show Details)Nov 15 2016, 9:38 PM
Andrew updated the task description. (Show Details)Nov 15 2016, 9:42 PM
Andrew updated the task description. (Show Details)
Andrew updated the task description. (Show Details)Nov 15 2016, 9:44 PM
gerritbot added a comment.Nov 15 2016, 9:53 PM

Change 320825 merged by Andrew Bogott:
Keystone: remove explicit observer rights

https://gerrit.wikimedia.org/r/320825

gerritbot added a comment.Nov 15 2016, 9:56 PM

Change 320826 merged by Andrew Bogott:
Keystone: Make the project list public

https://gerrit.wikimedia.org/r/320826

gerritbot added a comment.Nov 15 2016, 10:04 PM

Change 320827 merged by Andrew Bogott:
Make compute:get fully public

https://gerrit.wikimedia.org/r/320827

scfc mentioned this in T103995: Build a simple tool to query which instances have which roles / puppet variables.Nov 24 2016, 6:27 AM
gerritbot added a comment.Dec 2 2016, 3:11 PM

Change 320787 merged by Andrew Bogott:
Keystone: open up firewall to allow labs access to keystone API

https://gerrit.wikimedia.org/r/320787

gerritbot added a comment.Dec 2 2016, 3:35 PM

Change 320830 merged by Andrew Bogott:
Labs: Add observerenv.sh, helper script for read-only creds

https://gerrit.wikimedia.org/r/320830

Andrew created subtask T152215: Move novaobserver (and novaadmin) users out of ldap.Dec 2 2016, 4:46 PM
chasemp renamed this task from Provide public access to OpenStack APIs to Provide instance level ro access to OpenStack APIs.Dec 2 2016, 4:51 PM
chasemp renamed this task from Provide instance level ro access to OpenStack APIs to Provide read-only access to OpenStack APIs from WMF IP space.Dec 2 2016, 4:56 PM
gerritbot added a comment.Dec 2 2016, 7:45 PM

Change 324963 had a related patch set uploaded (by Andrew Bogott):
Keystone: add 'observer' domain

https://gerrit.wikimedia.org/r/324963

gerritbot added a comment.Dec 5 2016, 9:13 PM

Change 325371 had a related patch set uploaded (by Andrew Bogott):
Labs ldap: Hide the novaobserver account from everyone but keystone

https://gerrit.wikimedia.org/r/325371

gerritbot added a comment.Dec 5 2016, 9:37 PM

Change 324963 abandoned by Andrew Bogott:
Keystone: add 'observer' domain

https://gerrit.wikimedia.org/r/324963

gerritbot added a comment.Dec 5 2016, 9:49 PM

Change 325371 merged by Andrew Bogott:
Labs ldap: Hide the novaobserver account from everyone but keystone

https://gerrit.wikimedia.org/r/325371

gerritbot added a comment.Dec 6 2016, 9:21 PM

Change 325633 had a related patch set uploaded (by Andrew Bogott):
wmfkeystonehooks: Don't bother adding novaobserver to projects

https://gerrit.wikimedia.org/r/325633

gerritbot added a comment.Dec 6 2016, 9:33 PM

Change 325633 abandoned by Andrew Bogott:
wmfkeystonehooks: Don't bother adding novaobserver to projects

Reason:
This works only if novaobserver is in the 'admin' project, which seems like a bad idea

https://gerrit.wikimedia.org/r/325633

gerritbot added a comment.Dec 6 2016, 9:38 PM

Change 325643 had a related patch set uploaded (by Andrew Bogott):
Novaobserver: novaobserver isn't in the admin project.

https://gerrit.wikimedia.org/r/325643

gerritbot added a comment.Dec 7 2016, 12:21 AM

Change 325717 had a related patch set uploaded (by Andrew Bogott):
Add $wgOpenStackHiddenUsernames global array

https://gerrit.wikimedia.org/r/325717

gerritbot added a comment.Dec 7 2016, 11:14 AM

Change 325717 merged by jenkins-bot:
Add $wgOpenStackHiddenUsernames global array

https://gerrit.wikimedia.org/r/325717

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2016-12-13_(1.29.0-wmf.6)).Dec 7 2016, 12:00 PM
gerritbot added a comment.Dec 7 2016, 2:48 PM

Change 325643 merged by Andrew Bogott:
Novaobserver: novaobserver isn't in the admin project.

https://gerrit.wikimedia.org/r/325643

Andrew closed subtask T152215: Move novaobserver (and novaadmin) users out of ldap as Resolved.Dec 7 2016, 3:08 PM
gerritbot added a comment.Dec 7 2016, 9:17 PM

Change 325828 had a related patch set uploaded (by Andrew Bogott):
Add clientlib.pp and mwopenstackclients.py

https://gerrit.wikimedia.org/r/325828

gerritbot added a comment.Dec 7 2016, 9:22 PM

Change 325830 had a related patch set uploaded (by Andrew Bogott):
Add clientlib.pp and mwopenstackclients.py

https://gerrit.wikimedia.org/r/325830

gerritbot added a comment.Dec 8 2016, 7:15 PM

Change 325994 had a related patch set uploaded (by Andrew Bogott):
Designate policy: Add public read-only access

https://gerrit.wikimedia.org/r/325994

Andrew updated the task description. (Show Details)Dec 8 2016, 7:23 PM
gerritbot added a comment.Dec 12 2016, 7:54 PM

Change 325830 merged by Andrew Bogott:
Add clientlib.pp and mwopenstackclients.py

https://gerrit.wikimedia.org/r/325830

gerritbot added a comment.Dec 12 2016, 8:27 PM

Change 325994 merged by Andrew Bogott:
Designate policy: Add public read-only access

https://gerrit.wikimedia.org/r/325994

gerritbot added a comment.Dec 13 2016, 3:58 PM

Change 326979 had a related patch set uploaded (by Andrew Bogott):
Keystone: Publish credentials for novaobserver account

https://gerrit.wikimedia.org/r/326979

gerritbot added a comment.Dec 14 2016, 12:13 AM

Change 326979 merged by Andrew Bogott:
Keystone: Publish credentials for novaobserver account

https://gerrit.wikimedia.org/r/326979

gerritbot added a comment.Dec 14 2016, 4:58 PM

Change 327230 had a related patch set uploaded (by Andrew Bogott):
Add novaconfig to labs.yaml

https://gerrit.wikimedia.org/r/327230

gerritbot added a comment.Dec 14 2016, 5:00 PM

Change 327231 had a related patch set uploaded (by Andrew Bogott):
Add labs.yaml to labs/private

https://gerrit.wikimedia.org/r/327231

gerritbot added a comment.Dec 14 2016, 5:01 PM

Change 327232 had a related patch set uploaded (by Andrew Bogott):
Labs hiera: Include private labs.yaml in hiera search

https://gerrit.wikimedia.org/r/327232

gerritbot added a comment.Dec 14 2016, 7:17 PM

Change 327231 merged by Andrew Bogott:
Add labs.yaml to labs/private

https://gerrit.wikimedia.org/r/327231

gerritbot added a comment.Dec 14 2016, 7:26 PM

Change 327230 merged by Andrew Bogott:
Add novaconfig to labs.yaml

https://gerrit.wikimedia.org/r/327230

gerritbot added a comment.Dec 14 2016, 7:30 PM

Change 327232 merged by Andrew Bogott:
Labs hiera: Include private labs.yaml in hiera search

https://gerrit.wikimedia.org/r/327232

gerritbot added a comment.Dec 14 2016, 8:50 PM

Change 327290 had a related patch set uploaded (by Andrew Bogott):
Keystone: refactor observerenv.sh

https://gerrit.wikimedia.org/r/327290

gerritbot added a comment.Dec 15 2016, 8:51 PM

Change 327290 merged by Andrew Bogott:
Keystone: refactor observerenv.sh

https://gerrit.wikimedia.org/r/327290

gerritbot added a comment.Dec 16 2016, 7:37 PM

Change 327787 had a related patch set uploaded (by Andrew Bogott):
Add export OS_INTERFACE=public to observerenv

https://gerrit.wikimedia.org/r/327787

gerritbot added a comment.Dec 16 2016, 10:01 PM

Change 327787 merged by Andrew Bogott:
Add export OS_INTERFACE=public to observerenv

https://gerrit.wikimedia.org/r/327787

Andrew closed this task as Resolved.Dec 20 2016, 3:26 PM

I can now do 'openstack project list' on a labs Jessie machine with addition of openstack::clientlib.

gerritbot added a comment.Jan 17 2017, 6:43 PM

Change 325828 abandoned by Andrew Bogott:
Add clientlib.pp and mwopenstackclients.py

https://gerrit.wikimedia.org/r/325828

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:39 PM
bd808 mentioned this in T233372: Create a "novaobserver" equivalent for Toolforge Kubernetes cluster inspection.Sep 19 2019, 11:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL