launchpad-reviewers team mailing list archive

Thread
Date

[Merge] lp:~jtv/maas/metadata-node-user into lp:maas

To: mp+93320@xxxxxxxxxxxxxxxxxx
From: "Jeroen T. Vermeulen" <jtv@xxxxxxxxxxxxx>
Date: Wed, 15 Feb 2012 23:34:17 -0000
In-reply-to: <20120215232916.19546.73793.launchpad@ackee.canonical.com>
Reply-to: mp+93320@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

The proposal to merge lp:~jtv/maas/metadata-node-user into lp:maas has been updated.

Description changed to:

Boy, I hope X doesn't crash while I write this merge proposal. (Update: actually I had a low-power warning followed by a shutdown. But the browser remembered what I was typing!)

Nodes will authenticate for accessing the metadata service. The metadata service will provide metadata based on the authenticated node (not on, say, a RARP lookup of the requesting IP address — much too fragile).

Raphaël and I discussed this, and it turns out there is no need to have a separate User per Node as we feared. Instead, we can have a special user that will have one set of OAuth tokens for each node. We keep it in a stateless wrapper class that knows about the mapping between keys and nodes. The mapping itself lives in a new very simple model class, NodeKey.

Along the way, I had to introduce the concept of a “system user.” This is analogous to a Unix system user, but for MaaS. The node-initialization user is the first one. System users do not have profiles, and do not show up in user-facing user listings.

The process of commissioning and deploying a node will, at some point, create a key for the node and seed the whole oauth token (token key, token secret, consumer key, and the “consumer secret” which I can tell you and the rest of the internet in confidence will be the empty string). There's no need to store all of that in NodeKey, as far as I can see; the request header's oauth_key should uniquely identify a node's key. We just need to get it to cloud-init.

This may not be enough to get authentication working for the metadata API, since its implementation is currently not based on Piston whose OAuth we use. Should be easy enough to fix — but in a separate branch please.

Jeroen

For more details, see:
https://code.launchpad.net/~jtv/maas/metadata-node-user/+merge/93320
--
https://code.launchpad.net/~jtv/maas/metadata-node-user/+merge/93320
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~jtv/maas/metadata-node-user into lp:maas.

References

[Merge] lp:~jtv/maas/metadata-node-user into lp:maas
From: Jeroen T. Vermeulen, 2012-02-15