← Back to team overview

fuel-dev team mailing list archive

Fuel authentication for upgrade system

 

Hi guys,

I would like to discuss this topic again, because it looks like we have
some misunderstanding of the problem.

Let me describe the problematic use case:

1. user has 5.1 master node
2. he changes his password in keystone
3. he wants to upgrade his master node to 6.0
4. it fails, because right now, upgrade system uses credentials from
    `/etc/fuel/astute.yaml` file

During the upgrade procedure, upgrade system uses API for
current containers (5.1), and on some stage it starts to use
new containers (6.0).

Also I would like describe proposed solutions of the problem:

   1. use service user
      - Pros:
      - we will be able to take this credentials from some config
      - Cons:
      - there will be credentials in plane text on the master node, afaik
         Lukasz had some concerns about it
         - we will have to add hacks in upgrade script
            - check that it's 5.1 release
            - check that there is no such user in keystone (can we do that
            without authentication?)
            - create user (can we create user with admin_token?)
            - use it for authentication
            - handle cases when keystone/nailgun are not running, we can
            get such state, if first upgrade/rollback fails
         2. ask user for credentials before upgrade
   - Pros:
      - it will not require to add some new hacks in upgrade system
      - Cons:
      - user will have to type his credentials in console (or pass env
         variables with credentials)


Thanks,

Follow ups