Adam Young wrote:
We have a use case where we want to register a newly spawned Virtual
machine with an identity provider.
Heat also has a need to provide some form of Identity for a new VM.
Looking at the set of utilities right now, there does not seem to be a
secure way to do this. Injecting files does not provide a path that
cannot be seen by other VMs or machines in the system.
For our use case, a short lived One-Time-Password is sufficient, but for
others, I think asymmetric key generation makes more sense.
Is the following possible:
1. In cloud-init, the VM generates a Keypair, then notifies the No0va
infrastructure (somehow) that it has done so.
So this can be somewhat done already:
https://cloudinit.readthedocs.org/en/latest/topics/examples.html#call-a-url-when-finished
But unsure what endpoint u want that thing to call (and the data it
sends might need to be tweaked); and said calling a URL might need
https, which then begs the question of what certs and stuff is https
using to ensure its calling a URL that is 'really nova'.
2. Nova Compute reads the public Key off the device and sends it to
conductor, which would then associate the public key with the server?
3. A third party system could then validate the association of the
public key and the server, and build a work flow based on some signed
document from the VM?
Seems like a useful idea, if we can figure out how to do it.
-Josh
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev