fuel-dev team mailing list archive

Thread
Date

Re: Fuel authentication for upgrade system

To: Lukasz Oles <loles@xxxxxxxxxxxx>, Anastasia Urlapova <aurlapova@xxxxxxxxxxxx>
From: Mike Scherbakov <mscherbakov@xxxxxxxxxxxx>
Date: Fri, 3 Oct 2014 15:41:38 +0400
Cc: "fuel-dev@xxxxxxxxxxxxxxxxxxx" <fuel-dev@xxxxxxxxxxxxxxxxxxx>, Evgeniy L <eli@xxxxxxxxxxxx>
In-reply-to: <CAOoSAzL8Qdk1Vcuj9EaeY6ZT5a3O8Xt6xR7PE3172DZZB+RpMw@mail.gmail.com>

Ok, let's make sure that QA team knows how to deal with this in advance.

Thanks,

On Fri, Oct 3, 2014 at 3:21 PM, Lukasz Oles <loles@xxxxxxxxxxxx> wrote:

> Hello,
>
> yeah, solution number 1 is harder to implement and during
> implementation it's easy to miss some edge scenario.
>
> Solution nr 2 is nice and easy. Actually, I don't consider asking for
> password as a cons. Some extra protection against accidental upgrade
> run is ok for me.
>
> On Fri, Oct 3, 2014 at 12:15 PM, Evgeniy L <eli@xxxxxxxxxxxx> wrote:
> > Hi guys,
> >
> > I would like to discuss this topic again, because it looks like we have
> > some misunderstanding of the problem.
> >
> > Let me describe the problematic use case:
> >
> > 1. user has 5.1 master node
> > 2. he changes his password in keystone
> > 3. he wants to upgrade his master node to 6.0
> > 4. it fails, because right now, upgrade system uses credentials from
> >     `/etc/fuel/astute.yaml` file
> >
> > During the upgrade procedure, upgrade system uses API for
> > current containers (5.1), and on some stage it starts to use
> > new containers (6.0).
> >
> > Also I would like describe proposed solutions of the problem:
> >
> > use service user
> >
> > Pros:
> >
> > we will be able to take this credentials from some config
> >
> > Cons:
> >
> > there will be credentials in plane text on the master node, afaik Lukasz
> had
> > some concerns about it
> > we will have to add hacks in upgrade script
> >
> > check that it's 5.1 release
> > check that there is no such user in keystone (can we do that without
> > authentication?)
> > create user (can we create user with admin_token?)
> > use it for authentication
> > handle cases when keystone/nailgun are not running, we can get such
> state,
> > if first upgrade/rollback fails
> >
> > ask user for credentials before upgrade
> >
> > Pros:
> >
> > it will not require to add some new hacks in upgrade system
> >
> > Cons:
> >
> > user will have to type his credentials in console (or pass env variables
> > with credentials)
> >
> >
> > Thanks,
> >
> >
> > --
> > Mailing list: https://launchpad.net/~fuel-dev
> > Post to     : fuel-dev@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~fuel-dev
> > More help   : https://help.launchpad.net/ListHelp
> >
>
>
>
> --
> Łukasz Oleś
>
> --
> Mailing list: https://launchpad.net/~fuel-dev
> Post to     : fuel-dev@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~fuel-dev
> More help   : https://help.launchpad.net/ListHelp
>



-- 
Mike Scherbakov
#mihgen

References

Fuel authentication for upgrade system
From: Evgeniy L, 2014-10-03
Re: Fuel authentication for upgrade system
From: Lukasz Oles, 2014-10-03