Page MenuHomePhabricator
Create Task
Maniphest T294195

Openstack API access credentials
Closed, ResolvedPublic
Actions

Description

Our current OpenStack API clients authenticate with normal LDAP accounts that have been specifically granted access to the API bypassing our 2fa setup. If we intend to open up Swift or other parts of the API to clients that aren't managed by cloud vps admins we should make the API credential workflow not require manual admin action or user-like accounts with SSH access. In the OpenStack world I think that means application credentials.

Details

SubjectRepoBranchLines +/-
openstack: keystone: enable app credentials everywhereoperations/puppetproduction+2 -14
openstack: keystone: enable app credentials on codfw1devoperations/puppetproduction+14 -2
keystone: add restrict_password_auth flagoperations/puppetproduction+13 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

taavi created this task.Oct 24 2021, 6:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 24 2021, 6:09 PM
Addshore mentioned this in T292906: [mwcli] Add a "vps" command for cloud VPS.Oct 26 2021, 9:47 PM
Addshore added a subscriber: Addshore.
taavi added a comment.Nov 18 2021, 5:24 PM

Upstream docs seem to say that application credentials seem to always be linked to some regular user account. Not sure if that's a good or a bad thing.

Proc added a subscriber: Proc.Aug 13 2022, 6:47 PM
Andrew added a subscriber: fnegri.Aug 17 2022, 10:22 PM
gerritbot added a comment.Aug 21 2022, 1:26 AM

Change 824830 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] keystone: add restrict_password_auth flag

https://gerrit.wikimedia.org/r/824830

gerritbot added a project: Patch-For-Review.Aug 21 2022, 1:26 AM
gerritbot added a comment.Aug 22 2022, 6:19 PM

Change 824830 abandoned by Andrew Bogott:

[operations/puppet@production] keystone: add restrict_password_auth flag

Reason:

dropping in favor of https://gerrit.wikimedia.org/r/c/operations/puppet/+/825380

https://gerrit.wikimedia.org/r/824830

Maintenance_bot removed a project: Patch-For-Review.Aug 22 2022, 6:30 PM
gerritbot added a comment.Aug 26 2022, 8:43 AM

Change 826792 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] openstack: keystone: enable app credentials on codfw1dev

https://gerrit.wikimedia.org/r/826792

gerritbot added a project: Patch-For-Review.Aug 26 2022, 8:43 AM
gerritbot added a comment.Aug 26 2022, 1:11 PM

Change 826792 merged by Andrew Bogott:

[operations/puppet@production] openstack: keystone: enable app credentials on codfw1dev

https://gerrit.wikimedia.org/r/826792

Maintenance_bot removed a project: Patch-For-Review.Aug 26 2022, 1:30 PM
taavi added a parent task: T316436: Cloud VPS Terraform support.Aug 27 2022, 3:35 PM
stwalkerster added a subscriber: stwalkerster.Aug 28 2022, 2:03 AM
jbond added a subscriber: jbond.Sep 20 2022, 12:43 PM
gerritbot added a comment.Oct 7 2022, 12:48 PM

Change 840121 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] openstack: keystone: enable app credentials everywhere

https://gerrit.wikimedia.org/r/840121

gerritbot added a project: Patch-For-Review.Oct 7 2022, 12:48 PM
gerritbot added a comment.Oct 11 2022, 2:02 PM

Change 840121 merged by Andrew Bogott:

[operations/puppet@production] openstack: keystone: enable app credentials everywhere

https://gerrit.wikimedia.org/r/840121

Maintenance_bot removed a project: Patch-For-Review.Oct 11 2022, 2:31 PM
taavi closed this task as Resolved.Oct 11 2022, 2:35 PM
taavi claimed this task.
taavi added a subtask: T319312: Open Openstack APIs to the public internet.
taavi removed a subtask: T319312: Open Openstack APIs to the public internet.
taavi added a parent task: T319312: Open Openstack APIs to the public internet.

marking this one as resolved, the rest is tracked in T319312: Open Openstack APIs to the public internet

taavi removed a parent task: T316436: Cloud VPS Terraform support.Oct 13 2022, 9:24 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL