> Hi, > > Right now Ironic is being responsible for storing the credentials for the > IPMI and SSH drivers (and potentially other drivers in the future), I wonder > if we should delegate this task to Keystone. The Keystone V3 API now has a > /credentials endpoint which would allow us to specify arbitrary types (not > only ec2 anymore) and use it as a credential store[1]. > > That would avoid further fragmentation of credentials being stored in > different places in OpenStack, and make the management of the credentials > easier (Think about a situation where many nodes share the same IPMI > username/password and we need to update it, if this is stored in Keystone it > only needs to be updated there once cause nodes will only hold a reference > to it) > > It also was pointed to me that setting a hard dependency on Keystone V3 might > significantly raises the bar for integration with existing clouds*. So > perhaps we should make it optional? In the same way we can specify a > username/password or key_filename for the ssh driver we could have a > reference to a credential in Keystone V3? > > What you guys think about the idea?
Hi Lucas, At a high level, this sounds like an excellent idea to me. IIUC the major blocker to ceilometer taking point on controlling the IPMI polling cycle has been secure access to these credentials. If these were available to ceilometer in a controlled way via keystone, then the IPMI polling cycle could be managed in a very similar way to the ceilo polling activity on the hypervisor and SMNP daemons. However, I'm a little fuzzy on the detail of enabling this via keystone v3, so it would be great to drill down into the detail either on the ML or at summit. For example, would it be in the guise of a trust that delegates limited privilege to allow the ceilometer user call GET /credentials to retrieve the IPMI user/pass? Or would the project_id parameter to POST /credentials suffice to limit access to IPMI credentials to the ceilometer tenant only? (as opposed to allowing any other openstack service access these creds) In that case, would we need to also decouple the ceilometer user from the generic service tenant? Cheers, Eoghan > What are the cloud operators/sysadmins > view on that? > > * There's also some ongoing thoughts about using v3 for other things in > Ironic (e.g signed url's) but that's kinda out of the topic. > > > [1] > https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#create-credential-post-credentials > Ironic bp (discussion): > https://blueprints.launchpad.net/ironic/+spec/credentials-keystone-v3 > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev