)]}'
{"specs/approved/pluggable-credential-storage.rst":[{"author":{"_account_id":10662,"name":"Gopi Krishna S","email":"saripurigopi@gmail.com","username":"saripurigopi"},"change_message_id":"4a9f78c65d016659f7ca025eca43b60745a2b390","unresolved":false,"context_lines":[{"line_number":52,"context_line":"credentials will be read from in-memory cache, or, if not present there, will"},{"line_number":53,"context_line":"be downloaded from credentials storage if `driver_internal_info/credentials_id`"},{"line_number":54,"context_line":"is specified, otherwise they will be read from database. If node UUID saved"},{"line_number":55,"context_line":"along with credentials is not equal to UUID of a node they\u0027re used for,"},{"line_number":56,"context_line":"exception will be raised."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"As part of this spec\u0027s implementation, Keystone\u0027s credentials storage will be"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1a4dcd0f_13af802c","line":55,"updated":"2015-08-14 10:13:58.000000000","message":"The operator accounts are usually AD/LDAP or AAA servers. And the same account would be able to access all the nodes with same access privileges. In that case, while enrolling the nodes user have to specify the same credentials for each and every node.\nIf the credentials are same across nodes, can driver_info have credentials_fields with credential_id? \nThis way, modifying single credentials_id would be sufficient for any changes.\n\nCan this be list of node UUID\u0027s using same credentials for login?","commit_id":"4fdf0f8d63896a3fdd201cb849b5b509f0de54f2"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"c261135d2bfae4d20740c6a928a72bbc1c45d7bb","unresolved":false,"context_lines":[{"line_number":52,"context_line":"credentials will be read from in-memory cache, or, if not present there, will"},{"line_number":53,"context_line":"be downloaded from credentials storage if `driver_internal_info/credentials_id`"},{"line_number":54,"context_line":"is specified, otherwise they will be read from database. If node UUID saved"},{"line_number":55,"context_line":"along with credentials is not equal to UUID of a node they\u0027re used for,"},{"line_number":56,"context_line":"exception will be raised."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"As part of this spec\u0027s implementation, Keystone\u0027s credentials storage will be"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1a4dcd0f_41a20d4d","line":55,"in_reply_to":"1a4dcd0f_13af802c","updated":"2015-08-14 11:16:45.000000000","message":"IIUC you mean store list of node UUIDs in credentials rather than one UUID, and put credentials_id in driver_info rather that driver_internal_info so that it can be updated by operator.\n\nYes, it can be done, but then operator would have to manage this list by himself, right? (which means he should be admin in keystone to have access to credentials created by Ironic) So when he wants to add another node he first adds it to UUIDs list and then adds credentials_id to driver_info. If a node is deleted then UUID can be deleted from this list automatically by Ironic.\n\nOr another way to do this, operator will create credentials by himself (with the list of nodes to use it on) and provide them to Ironic, then Ironic will not manage credentials at all and caching would become harder. It is also the case for \"modifying single credentials_id would be sufficient for any changes\", as credentials may change at any time (you would need some generic way for all credential storages to say that these credentials are outdated so that not re-cache them on any error).","commit_id":"4fdf0f8d63896a3fdd201cb849b5b509f0de54f2"},{"author":{"_account_id":10662,"name":"Gopi Krishna S","email":"saripurigopi@gmail.com","username":"saripurigopi"},"change_message_id":"4a9f78c65d016659f7ca025eca43b60745a2b390","unresolved":false,"context_lines":[{"line_number":72,"context_line":"#. Continue storing credentials in Ironic database;"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"#. Add option to ironic-conductor to store all keys in the database encrypted."},{"line_number":75,"context_line":"   The encryption key would need to be accessible by each ironic conductor."},{"line_number":76,"context_line":"   This ability can be added as one of the implementations of base credentials"},{"line_number":77,"context_line":"   provider."},{"line_number":78,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1a4dcd0f_eeb46b36","line":75,"updated":"2015-08-14 10:13:58.000000000","message":"Where is the encryption key stored? in the ironic.conf? If anyone gets access to this key, would be able to decrypt the passwords.","commit_id":"4fdf0f8d63896a3fdd201cb849b5b509f0de54f2"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"c261135d2bfae4d20740c6a928a72bbc1c45d7bb","unresolved":false,"context_lines":[{"line_number":72,"context_line":"#. Continue storing credentials in Ironic database;"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"#. Add option to ironic-conductor to store all keys in the database encrypted."},{"line_number":75,"context_line":"   The encryption key would need to be accessible by each ironic conductor."},{"line_number":76,"context_line":"   This ability can be added as one of the implementations of base credentials"},{"line_number":77,"context_line":"   provider."},{"line_number":78,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1a4dcd0f_9e9dd068","line":75,"in_reply_to":"1a4dcd0f_eeb46b36","updated":"2015-08-14 11:16:45.000000000","message":"admin username/password (or token) are already stored in config file (CONF.keystone_authtoken.admin_user and CONF.keystone_authtoken.admin_password).","commit_id":"4fdf0f8d63896a3fdd201cb849b5b509f0de54f2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"44608b8ff347f65f768ad2d1149d8c465c05a4b3","unresolved":false,"context_lines":[{"line_number":18,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Currently, Ironic stores unencrypted credentials of all nodes in its database,"},{"line_number":21,"context_line":"which is insecure, because if one gains access to database, he will also have"},{"line_number":22,"context_line":"access to all the baremetal nodes. Credentials should be encrypted or this task"},{"line_number":23,"context_line":"should be delegated to another service so that database operator/administrator"},{"line_number":24,"context_line":"is not able to read them, thus enhancing security."}],"source_content_type":"text/x-rst","patch_set":11,"id":"fa1b9901_d38e752d","line":21,"updated":"2015-08-25 23:44:35.000000000","message":"s/he/(s)he/\n\nwill make this match the pattern used throughout.","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":18,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Currently, Ironic stores unencrypted credentials of all nodes in its database,"},{"line_number":21,"context_line":"which is insecure, because if one gains access to database, he will also have"},{"line_number":22,"context_line":"access to all the baremetal nodes. Credentials should be encrypted or this task"},{"line_number":23,"context_line":"should be delegated to another service so that database operator/administrator"},{"line_number":24,"context_line":"is not able to read them, thus enhancing security."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_2297bd91","line":21,"in_reply_to":"fa1b9901_d38e752d","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"44608b8ff347f65f768ad2d1149d8c465c05a4b3","unresolved":false,"context_lines":[{"line_number":47,"context_line":"looks like. It will use RSA public key encryption, with Ironic API having"},{"line_number":48,"context_line":"access to a public key to be able to encrypt credentials, and Ironic conductors"},{"line_number":49,"context_line":"having access to private key for decryption. Private key should be stored on"},{"line_number":50,"context_line":"some kind of share so that all Ironic conductors can access it."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"To allow changing credentials storage provider or keys, migration script will"},{"line_number":53,"context_line":"be implemented so that administrator won\u0027t have to update each node manually."}],"source_content_type":"text/x-rst","patch_set":11,"id":"fa1b9901_d3bc35bd","line":50,"updated":"2015-08-25 23:44:35.000000000","message":"I\u0027d maybe change this sentence to \"All Ironic Conductors will need access to the private key.\" as to not dictate a given solution (and I think most people would use config management for this anyway).","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":47,"context_line":"looks like. It will use RSA public key encryption, with Ironic API having"},{"line_number":48,"context_line":"access to a public key to be able to encrypt credentials, and Ironic conductors"},{"line_number":49,"context_line":"having access to private key for decryption. Private key should be stored on"},{"line_number":50,"context_line":"some kind of share so that all Ironic conductors can access it."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"To allow changing credentials storage provider or keys, migration script will"},{"line_number":53,"context_line":"be implemented so that administrator won\u0027t have to update each node manually."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_627cd572","line":50,"in_reply_to":"fa1b9901_d3bc35bd","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"8cdc3e2ed1c1791f2883051c0cdacb96d2c5aafe","unresolved":false,"context_lines":[{"line_number":52,"context_line":"To allow changing credentials storage provider or keys, migration script will"},{"line_number":53,"context_line":"be implemented so that administrator won\u0027t have to update each node manually."},{"line_number":54,"context_line":"This script will allow loading credentials from currently configured storage to"},{"line_number":55,"context_line":"DB and uploading credentials from DB to newly configured storage."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Alternatives"},{"line_number":58,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_fd772d00","line":55,"updated":"2015-08-27 13:49:29.000000000","message":"and also encrypt/decrypt into DB","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":52,"context_line":"To allow changing credentials storage provider or keys, migration script will"},{"line_number":53,"context_line":"be implemented so that administrator won\u0027t have to update each node manually."},{"line_number":54,"context_line":"This script will allow loading credentials from currently configured storage to"},{"line_number":55,"context_line":"DB and uploading credentials from DB to newly configured storage."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Alternatives"},{"line_number":58,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_8281e94c","line":55,"in_reply_to":"da20952f_fd772d00","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"8cdc3e2ed1c1791f2883051c0cdacb96d2c5aafe","unresolved":false,"context_lines":[{"line_number":57,"context_line":"Alternatives"},{"line_number":58,"context_line":"------------"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"#. Continue storing credentials in Ironic database;"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"#. Store credentials in a separate storage. Identity API v3 can be used to"},{"line_number":63,"context_line":"   store credentials in Keystone."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_fdaacd18","line":60,"updated":"2015-08-27 13:49:29.000000000","message":"..storing unencrypted credentials..","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":57,"context_line":"Alternatives"},{"line_number":58,"context_line":"------------"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"#. Continue storing credentials in Ironic database;"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"#. Store credentials in a separate storage. Identity API v3 can be used to"},{"line_number":63,"context_line":"   store credentials in Keystone."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_e290e597","line":60,"in_reply_to":"da20952f_fdaacd18","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"8cdc3e2ed1c1791f2883051c0cdacb96d2c5aafe","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"#. Continue storing credentials in Ironic database;"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"#. Store credentials in a separate storage. Identity API v3 can be used to"},{"line_number":63,"context_line":"   store credentials in Keystone."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Data model impact"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_f8be5bfe","line":62,"updated":"2015-08-27 13:49:29.000000000","message":"Not sure that it\u0027s an alternative, anyone can create a plugin.","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"#. Continue storing credentials in Ironic database;"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"#. Store credentials in a separate storage. Identity API v3 can be used to"},{"line_number":63,"context_line":"   store credentials in Keystone."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Data model impact"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_028e3978","line":62,"in_reply_to":"da20952f_f8be5bfe","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"8cdc3e2ed1c1791f2883051c0cdacb96d2c5aafe","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Because RSA is being used to encrypt credentials, length of values that are"},{"line_number":69,"context_line":"encrypted with it should be less than RSA key length (minimal allowed length"},{"line_number":70,"context_line":"is 768 bits) to ensure that data is secured properly."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"State Machine Impact"},{"line_number":73,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_b8c78311","line":70,"updated":"2015-08-27 13:49:29.000000000","message":"How about deal with values like \u0027ssh_key_contents\u0027? These values will be unencrypted, or user get an error, please describe.","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Because RSA is being used to encrypt credentials, length of values that are"},{"line_number":69,"context_line":"encrypted with it should be less than RSA key length (minimal allowed length"},{"line_number":70,"context_line":"is 768 bits) to ensure that data is secured properly."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"State Machine Impact"},{"line_number":73,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_a2e98d1c","line":70,"in_reply_to":"da20952f_b8c78311","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"44608b8ff347f65f768ad2d1149d8c465c05a4b3","unresolved":false,"context_lines":[{"line_number":77,"context_line":"REST API impact"},{"line_number":78,"context_line":"---------------"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"post, patch and delete node methods will be changed (although all request"},{"line_number":81,"context_line":"parameters will remain the same), as uploading, updating and deleting"},{"line_number":82,"context_line":"credentials will be performed in these methods, before credentials are saved to"},{"line_number":83,"context_line":"database."}],"source_content_type":"text/x-rst","patch_set":11,"id":"fa1b9901_13bf0dab","line":80,"updated":"2015-08-25 23:44:35.000000000","message":"I\u0027d put POST, PATCH, and DELETE in call caps since they\u0027re HTTP methods.","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":77,"context_line":"REST API impact"},{"line_number":78,"context_line":"---------------"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"post, patch and delete node methods will be changed (although all request"},{"line_number":81,"context_line":"parameters will remain the same), as uploading, updating and deleting"},{"line_number":82,"context_line":"credentials will be performed in these methods, before credentials are saved to"},{"line_number":83,"context_line":"database."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_c2ee0122","line":80,"in_reply_to":"fa1b9901_13bf0dab","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"44608b8ff347f65f768ad2d1149d8c465c05a4b3","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"Client (CLI) impact"},{"line_number":94,"context_line":"-------------------"},{"line_number":95,"context_line":"None"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"RPC API impact"},{"line_number":98,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"fa1b9901_9300fd67","line":95,"updated":"2015-08-25 23:44:35.000000000","message":"There is an impact; the credentials will no longer be sent in plaintext when you look up an Ironic node via CLI.","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"Client (CLI) impact"},{"line_number":94,"context_line":"-------------------"},{"line_number":95,"context_line":"None"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"RPC API impact"},{"line_number":98,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_82f809e7","line":95,"in_reply_to":"fa1b9901_9300fd67","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"44608b8ff347f65f768ad2d1149d8c465c05a4b3","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"ironic-api and ironic-conductor should be upgraded together if operator wants"},{"line_number":101,"context_line":"to use this new functionality, as changes should be made to both API and"},{"line_number":102,"context_line":"drivers. If (s)he don\u0027t want to use it, they may be upgraded independently."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"For existing deployments, operators should use migration script to secure"},{"line_number":105,"context_line":"credentials using provider of their choice. Even if it is not used, credentials"}],"source_content_type":"text/x-rst","patch_set":11,"id":"fa1b9901_13edcdb6","line":102,"updated":"2015-08-25 23:44:35.000000000","message":"you can use \"they\" here as well if you\u0027d like.","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"ironic-api and ironic-conductor should be upgraded together if operator wants"},{"line_number":101,"context_line":"to use this new functionality, as changes should be made to both API and"},{"line_number":102,"context_line":"drivers. If (s)he don\u0027t want to use it, they may be upgraded independently."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"For existing deployments, operators should use migration script to secure"},{"line_number":105,"context_line":"credentials using provider of their choice. Even if it is not used, credentials"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_22dedd6d","line":102,"in_reply_to":"fa1b9901_13edcdb6","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"8cdc3e2ed1c1791f2883051c0cdacb96d2c5aafe","unresolved":false,"context_lines":[{"line_number":101,"context_line":"to use this new functionality, as changes should be made to both API and"},{"line_number":102,"context_line":"drivers. If (s)he don\u0027t want to use it, they may be upgraded independently."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"For existing deployments, operators should use migration script to secure"},{"line_number":105,"context_line":"credentials using provider of their choice. Even if it is not used, credentials"},{"line_number":106,"context_line":"will be uploaded to storage during node updates/creations if some provider is"},{"line_number":107,"context_line":"enabled."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_6c412c0b","line":104,"updated":"2015-08-27 13:49:29.000000000","message":"Is downgrade supported by this script?","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":101,"context_line":"to use this new functionality, as changes should be made to both API and"},{"line_number":102,"context_line":"drivers. If (s)he don\u0027t want to use it, they may be upgraded independently."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"For existing deployments, operators should use migration script to secure"},{"line_number":105,"context_line":"credentials using provider of their choice. Even if it is not used, credentials"},{"line_number":106,"context_line":"will be uploaded to storage during node updates/creations if some provider is"},{"line_number":107,"context_line":"enabled."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_62a5b502","line":104,"in_reply_to":"da20952f_6c412c0b","updated":"2015-08-27 14:28:59.000000000","message":"Yes, it is in last paragraph of \u0027proposed change\u0027.","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"8cdc3e2ed1c1791f2883051c0cdacb96d2c5aafe","unresolved":false,"context_lines":[{"line_number":110,"context_line":"-----------------"},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"All drivers can support this feature after slightly changing their BMC"},{"line_number":113,"context_line":"connection methods to allow fetching credentials from credentials storage."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"If they won\u0027t change that, they will still be able to use credentials stored in"},{"line_number":116,"context_line":"database, so third-party drivers can be updated independently from this change."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_4ce54807","line":113,"updated":"2015-08-27 13:49:29.000000000","message":"And drivers should provide `credentials_fields` info.","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":110,"context_line":"-----------------"},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"All drivers can support this feature after slightly changing their BMC"},{"line_number":113,"context_line":"connection methods to allow fetching credentials from credentials storage."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"If they won\u0027t change that, they will still be able to use credentials stored in"},{"line_number":116,"context_line":"database, so third-party drivers can be updated independently from this change."}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_e2bea5fe","line":113,"in_reply_to":"da20952f_4ce54807","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"44608b8ff347f65f768ad2d1149d8c465c05a4b3","unresolved":false,"context_lines":[{"line_number":141,"context_line":"------------------"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"Credentials encryption at the API and decryption at the conductor will consume"},{"line_number":144,"context_line":"additional time, depending on RSA key length."},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"Other deployer impact"},{"line_number":147,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"fa1b9901_d318b5d5","line":144,"updated":"2015-08-25 23:44:35.000000000","message":"Will the decrypted version of the credentials be cached? I\u0027m just thinking for some operations, you need to hit IPMI several times, and it\u0027d be costly to decrypt the secret multiple times in a very short period. \n\n(Think after reboot for the agent driver; power off, raw bytes, change boot device, power on -- that\u0027s 5 times in short order)","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"753187ceac054c5c791248d5c77590173cea6ad9","unresolved":false,"context_lines":[{"line_number":141,"context_line":"------------------"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"Credentials encryption at the API and decryption at the conductor will consume"},{"line_number":144,"context_line":"additional time, depending on RSA key length."},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"Other deployer impact"},{"line_number":147,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_02bcf903","line":144,"in_reply_to":"da20952f_8c9e0055","updated":"2015-08-27 14:28:59.000000000","message":"Done","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"8cdc3e2ed1c1791f2883051c0cdacb96d2c5aafe","unresolved":false,"context_lines":[{"line_number":141,"context_line":"------------------"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"Credentials encryption at the API and decryption at the conductor will consume"},{"line_number":144,"context_line":"additional time, depending on RSA key length."},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"Other deployer impact"},{"line_number":147,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da20952f_8c9e0055","line":144,"in_reply_to":"fa1b9901_d318b5d5","updated":"2015-08-27 13:49:29.000000000","message":"+1 for cache","commit_id":"7d0785f43fbc1c213e88d17a2e4b951899469ab3"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0130f36f3be91db285f5054ed2936283bcdffedb","unresolved":false,"context_lines":[{"line_number":31,"context_line":"implementations should inherit from. Stevedore will load credentials storage"},{"line_number":32,"context_line":"module specified in Ironic configuration file using entrypoint in setup.cfg."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"If a driver has ``credentials_fields`` field, defined in driver properties, it"},{"line_number":35,"context_line":"will be used to determine which fields should be secured with credentials"},{"line_number":36,"context_line":"storage. If there is no such field, credentials will be stored as usual in"},{"line_number":37,"context_line":"Ironic database."}],"source_content_type":"text/x-rst","patch_set":12,"id":"3a29b11f_3963c743","line":34,"updated":"2015-10-22 19:46:10.000000000","message":"it is a list of field names for values that should be encrypted/secured, right?\n\nby \u0027driver properties\u0027, do you mean a node\u0027s driver_info?","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"f0c369a1ca2dd77421a1f86781c0e80c5a98cb78","unresolved":false,"context_lines":[{"line_number":31,"context_line":"implementations should inherit from. Stevedore will load credentials storage"},{"line_number":32,"context_line":"module specified in Ironic configuration file using entrypoint in setup.cfg."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"If a driver has ``credentials_fields`` field, defined in driver properties, it"},{"line_number":35,"context_line":"will be used to determine which fields should be secured with credentials"},{"line_number":36,"context_line":"storage. If there is no such field, credentials will be stored as usual in"},{"line_number":37,"context_line":"Ironic database."}],"source_content_type":"text/x-rst","patch_set":12,"id":"1a26ad4f_3d834a58","line":34,"in_reply_to":"3a29b11f_3963c743","updated":"2015-10-29 09:59:36.000000000","message":"Correct, it will be a list of field names from driver_info. By driver properties I mean this - https://github.com/openstack/ironic/blob/master/ironic/api/controllers/v1/driver.py#L38\n\nHere in the POC you can see how it looks like - https://review.openstack.org/#/c/185074/6/ironic/drivers/modules/ssh.py","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0130f36f3be91db285f5054ed2936283bcdffedb","unresolved":false,"context_lines":[{"line_number":45,"context_line":"should be used."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"As part of this spec\u0027s implementation, credentials storage that encrypts"},{"line_number":48,"context_line":"credentials before saving them to DB will be added to demonstrate how the flow"},{"line_number":49,"context_line":"looks like. It will use RSA public key encryption, with Ironic API having"},{"line_number":50,"context_line":"access to a public key to be able to encrypt credentials, and Ironic conductors"},{"line_number":51,"context_line":"having access to private key for decryption. All Ironic conductors will need"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3a29b11f_243ddedc","line":48,"updated":"2015-10-22 19:46:10.000000000","message":"I am a bit confused here. Does the new credential storage plugin actually store the credentials elsewhere, or by DB here, do you mean that the encrypted credential is stored in ironic\u0027s DB, and the new plugin just does encrypt/decrypt of data that it is given? And/or both?","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"f0c369a1ca2dd77421a1f86781c0e80c5a98cb78","unresolved":false,"context_lines":[{"line_number":45,"context_line":"should be used."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"As part of this spec\u0027s implementation, credentials storage that encrypts"},{"line_number":48,"context_line":"credentials before saving them to DB will be added to demonstrate how the flow"},{"line_number":49,"context_line":"looks like. It will use RSA public key encryption, with Ironic API having"},{"line_number":50,"context_line":"access to a public key to be able to encrypt credentials, and Ironic conductors"},{"line_number":51,"context_line":"having access to private key for decryption. All Ironic conductors will need"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1a26ad4f_ddd9f684","line":48,"in_reply_to":"3a29b11f_243ddedc","updated":"2015-10-29 09:59:36.000000000","message":"Yup, I mean that \"the encrypted credential is stored in ironic\u0027s DB, and the new plugin just does encrypt/decrypt of data that it is given\" :).","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0130f36f3be91db285f5054ed2936283bcdffedb","unresolved":false,"context_lines":[{"line_number":49,"context_line":"looks like. It will use RSA public key encryption, with Ironic API having"},{"line_number":50,"context_line":"access to a public key to be able to encrypt credentials, and Ironic conductors"},{"line_number":51,"context_line":"having access to private key for decryption. All Ironic conductors will need"},{"line_number":52,"context_line":"access to the private key. For this provider, credentials will be cached in"},{"line_number":53,"context_line":"memory, so that when BMC is hit multiple times in a row decryption would not"},{"line_number":54,"context_line":"slow down the process, and cached values will be used instead."},{"line_number":55,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"3a29b11f_84e4f2ab","line":52,"updated":"2015-10-22 19:46:10.000000000","message":"decrypted credentials cached on conductor hosts, in memory?","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"f0c369a1ca2dd77421a1f86781c0e80c5a98cb78","unresolved":false,"context_lines":[{"line_number":49,"context_line":"looks like. It will use RSA public key encryption, with Ironic API having"},{"line_number":50,"context_line":"access to a public key to be able to encrypt credentials, and Ironic conductors"},{"line_number":51,"context_line":"having access to private key for decryption. All Ironic conductors will need"},{"line_number":52,"context_line":"access to the private key. For this provider, credentials will be cached in"},{"line_number":53,"context_line":"memory, so that when BMC is hit multiple times in a row decryption would not"},{"line_number":54,"context_line":"slow down the process, and cached values will be used instead."},{"line_number":55,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"1a26ad4f_fdcab2a0","line":52,"in_reply_to":"3a29b11f_84e4f2ab","updated":"2015-10-29 09:59:36.000000000","message":"Yes.","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0130f36f3be91db285f5054ed2936283bcdffedb","unresolved":false,"context_lines":[{"line_number":98,"context_line":"-------------------"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"Credentials will not be displayed as plain text while printing the node"},{"line_number":101,"context_line":"contents in CLI (if provider other than \u0027none\u0027 is used)."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"RPC API impact"},{"line_number":104,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3a29b11f_44081ada","line":101,"updated":"2015-10-22 19:46:10.000000000","message":"We already sanitize some fields in driver_info, but this new way would probably be more accurate/explicit.","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0130f36f3be91db285f5054ed2936283bcdffedb","unresolved":false,"context_lines":[{"line_number":110,"context_line":"For existing deployments, operators should use migration script to secure"},{"line_number":111,"context_line":"credentials using provider of their choice. Even if it is not used, credentials"},{"line_number":112,"context_line":"will be uploaded to storage during node updates/creations if some provider is"},{"line_number":113,"context_line":"enabled."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"Driver API impact"},{"line_number":116,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3a29b11f_44925a4d","line":113,"updated":"2015-10-22 19:46:10.000000000","message":"I don\u0027t understand this part. I thought it would only be done if the driver properties \u0027credentials_fields\u0027 was specified. When would that info get specified?","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"f0c369a1ca2dd77421a1f86781c0e80c5a98cb78","unresolved":false,"context_lines":[{"line_number":110,"context_line":"For existing deployments, operators should use migration script to secure"},{"line_number":111,"context_line":"credentials using provider of their choice. Even if it is not used, credentials"},{"line_number":112,"context_line":"will be uploaded to storage during node updates/creations if some provider is"},{"line_number":113,"context_line":"enabled."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"Driver API impact"},{"line_number":116,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1a26ad4f_fd41520c","line":113,"in_reply_to":"3a29b11f_44925a4d","updated":"2015-10-29 09:59:36.000000000","message":"Please see the answer above about driver properties.","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"0130f36f3be91db285f5054ed2936283bcdffedb","unresolved":false,"context_lines":[{"line_number":172,"context_line":"to enable using this new functionality."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"Developers will be able to add new plugins for other credentials storages, as"},{"line_number":175,"context_line":"stevedore will be loading them using entrypoints specified in setup.cfg."},{"line_number":176,"context_line":""},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3a29b11f_e42366bb","line":175,"updated":"2015-10-22 19:46:10.000000000","message":"If there is more than one plugin, how is the desired plugin specified? Is it per driver or the same plugin for all nodes+conductors?\n\nAnd what if someone changes the plugin to a different credentials storage. Is there some sort of migration from the first storage to the second storage? You mention it above at line 56 I think, but does it mean that there will be a period of time that ironic\u0027s DB will contain unencrypted credentials?","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"f0c369a1ca2dd77421a1f86781c0e80c5a98cb78","unresolved":false,"context_lines":[{"line_number":172,"context_line":"to enable using this new functionality."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"Developers will be able to add new plugins for other credentials storages, as"},{"line_number":175,"context_line":"stevedore will be loading them using entrypoints specified in setup.cfg."},{"line_number":176,"context_line":""},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1a26ad4f_5d1646a8","line":175,"in_reply_to":"3a29b11f_e42366bb","updated":"2015-10-29 09:59:36.000000000","message":"Yes, it should be the same for all conductors, otherwise it may cause troubles during takeover. There is a migration script, it is mentioned several times throughout the spec, and as currently implemented - yes, there is some amount of time when credentials are in DB unencrypted, i\u0027ll change this so that they can be migrated directly from one storage to another.","commit_id":"46b1ae1e6b11f1673e0dc1baeedb186d8e4795ae"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"1f9f56082a9dd114af7c345dc02e0fce51cf7837","unresolved":false,"context_lines":[{"line_number":35,"context_line":"will be used to determine which fields should be secured with credentials"},{"line_number":36,"context_line":"storage. It should contain a list of fields from driver_info to be secured."},{"line_number":37,"context_line":"If there is no such field, credentials will be stored as usual in Ironic"},{"line_number":38,"context_line":"database."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"If a driver has ``credentials_fields`` field, and prerequisites for using"},{"line_number":41,"context_line":"credentials storage provider are met, Ironic API will use it."}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_0d58d6f9","line":38,"updated":"2015-11-24 17:26:44.000000000","message":"Let\u0027s see if I understand. A node\u0027s driver_info can have one or more fields, F1, F2, .. A new field \u0027credentials_fields\u0027 in driver_info can be added. It\u0027s value is a list (comma-separated) of field names (excluding \u0027credentials_fields\u0027!).\n\nThe values of these special fields will be encrypted before being saved in ironic\u0027s DB and will only be decrypted when needed. And the conductor might cache the decrypted values.\n\nSo this is only dealing with credentials specified in node.driver_info. Which is fine but it isn\u0027t that clear in the spec.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"a8f55718a0d96ccb41c84207162145e6c4708359","unresolved":false,"context_lines":[{"line_number":35,"context_line":"will be used to determine which fields should be secured with credentials"},{"line_number":36,"context_line":"storage. It should contain a list of fields from driver_info to be secured."},{"line_number":37,"context_line":"If there is no such field, credentials will be stored as usual in Ironic"},{"line_number":38,"context_line":"database."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"If a driver has ``credentials_fields`` field, and prerequisites for using"},{"line_number":41,"context_line":"credentials storage provider are met, Ironic API will use it."}],"source_content_type":"text/x-rst","patch_set":13,"id":"da6ed579_60f0dd91","line":38,"in_reply_to":"9a8ffd7b_0d58d6f9","updated":"2016-01-19 10:26:47.000000000","message":"It\u0027s all correct apart from credentials_fields - it is not stored in driver_info, it is a driver property defined here - https://github.com/openstack/ironic/blob/master/ironic/drivers/modules/ssh.py#L78-L88\n\nIt is different from other properties, as it contains field names list instead of description as the dict value, e.g.:\n\n OTHER_PROPERTIES \u003d {\n    ...\n    \u0027ssh_port\u0027: _(\"port on the node to connect to; default is 22. Optional.\"),\n    \u0027credentials_fields\u0027: [\u0027ssh_key_contents\u0027, \u0027ssh_password\u0027],\n }","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"1f9f56082a9dd114af7c345dc02e0fce51cf7837","unresolved":false,"context_lines":[{"line_number":45,"context_line":"implementation it should be decided whether in-memory caching of credentials on"},{"line_number":46,"context_line":"conductor should be used."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"As part of this spec\u0027s implementation, credentials storage that encrypts"},{"line_number":49,"context_line":"credentials before saving them to Ironic DB will be added to demonstrate how"},{"line_number":50,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":51,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_2dbb5a74","line":48,"updated":"2015-11-24 17:26:44.000000000","message":"\u0027credentials storage\u0027 confuses me. Is it a place where the credentials are actually stored? Because I thought the credentials were still being stored encrypted in ironic DB (as part of node\u0027s driver_info) but I may have misunderstood.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"a8f55718a0d96ccb41c84207162145e6c4708359","unresolved":false,"context_lines":[{"line_number":45,"context_line":"implementation it should be decided whether in-memory caching of credentials on"},{"line_number":46,"context_line":"conductor should be used."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"As part of this spec\u0027s implementation, credentials storage that encrypts"},{"line_number":49,"context_line":"credentials before saving them to Ironic DB will be added to demonstrate how"},{"line_number":50,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":51,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"}],"source_content_type":"text/x-rst","patch_set":13,"id":"da6ed579_00eb2179","line":48,"in_reply_to":"9a8ffd7b_2dbb5a74","updated":"2016-01-19 10:26:47.000000000","message":"Will change to credentials provider to be more clear.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"1f9f56082a9dd114af7c345dc02e0fce51cf7837","unresolved":false,"context_lines":[{"line_number":50,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":51,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"},{"line_number":52,"context_line":"conductors having access to private key for decryption. All Ironic conductors"},{"line_number":53,"context_line":"will need access to the private key. For this provider, credentials will be"},{"line_number":54,"context_line":"cached in conductors\u0027 memory, so that when BMC is hit multiple times in a row"},{"line_number":55,"context_line":"decryption would not slow down the process, and cached values will be used"},{"line_number":56,"context_line":"instead."}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_edceb259","line":53,"updated":"2015-11-24 17:26:44.000000000","message":"how are the API/conductors going to get access to the keys? Are you going to add new configs?","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"a8f55718a0d96ccb41c84207162145e6c4708359","unresolved":false,"context_lines":[{"line_number":50,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":51,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"},{"line_number":52,"context_line":"conductors having access to private key for decryption. All Ironic conductors"},{"line_number":53,"context_line":"will need access to the private key. For this provider, credentials will be"},{"line_number":54,"context_line":"cached in conductors\u0027 memory, so that when BMC is hit multiple times in a row"},{"line_number":55,"context_line":"decryption would not slow down the process, and cached values will be used"},{"line_number":56,"context_line":"instead."}],"source_content_type":"text/x-rst","patch_set":13,"id":"da6ed579_00a2414b","line":53,"in_reply_to":"9a8ffd7b_edceb259","updated":"2016-01-19 10:26:47.000000000","message":"Correct, will add clarification.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"1f9f56082a9dd114af7c345dc02e0fce51cf7837","unresolved":false,"context_lines":[{"line_number":60,"context_line":"This script will allow loading credentials from currently configured storage to"},{"line_number":61,"context_line":"another storage (including \u0027none\u0027 storage, which means storing them in DB as"},{"line_number":62,"context_line":"plain text)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Alternatives"},{"line_number":65,"context_line":"------------"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_4dc7be12","line":63,"updated":"2015-11-24 17:26:44.000000000","message":"I\u0027d like more details about this. If the provider or keys change, will the API and/or conductor have to be shut down/restarted?","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"a8f55718a0d96ccb41c84207162145e6c4708359","unresolved":false,"context_lines":[{"line_number":60,"context_line":"This script will allow loading credentials from currently configured storage to"},{"line_number":61,"context_line":"another storage (including \u0027none\u0027 storage, which means storing them in DB as"},{"line_number":62,"context_line":"plain text)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Alternatives"},{"line_number":65,"context_line":"------------"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"da6ed579_5bc26c35","line":63,"in_reply_to":"9a8ffd7b_4dc7be12","updated":"2016-01-19 10:26:47.000000000","message":"If you want to change provider e.g. from keystone to db encryption or to change encryption key, yes, api should be restarted, conductors should be shut down to run credentials migration script and then started again. If you\u0027re changing from none provider it is not required, credentials will be updated when you do any node-update (but if you want to update all nodes at once shutdown is required too).\n\nThese operations are supposed to be done once in a long time, so I guess this is OK (private key should be changed only if someone gets direct access to it, as RSA PKCS-OAEP is considered secure nowadays).\n\nWill add clarification.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"346cf37e66c9cde68f5088edac20557f73c26bfc","unresolved":false,"context_lines":[{"line_number":87,"context_line":"parameters will remain the same), as uploading, updating and deleting"},{"line_number":88,"context_line":"credentials will be performed in these methods, before credentials are saved to"},{"line_number":89,"context_line":"database."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"The only additional error (in case of encrypting credentials) that may appear"},{"line_number":92,"context_line":"is inability to read public key. This should be handled as node updates and"},{"line_number":93,"context_line":"creations will fail because of that."}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_4004657d","line":90,"updated":"2015-11-24 17:37:10.000000000","message":"POST and PATCH methods will have to know which driver_info fields to encrypt -- but this is defined in the drivers. So the API services will need to query (over RPC) to get this list from the drivers. The result of this must be cached so that it doesn\u0027t delay every single write operation. There is already a precedent for this in the driver vendor passthru API method. None the less, the spec didnt mention it, so I\u0027m pointing it out.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"a8f55718a0d96ccb41c84207162145e6c4708359","unresolved":false,"context_lines":[{"line_number":87,"context_line":"parameters will remain the same), as uploading, updating and deleting"},{"line_number":88,"context_line":"credentials will be performed in these methods, before credentials are saved to"},{"line_number":89,"context_line":"database."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"The only additional error (in case of encrypting credentials) that may appear"},{"line_number":92,"context_line":"is inability to read public key. This should be handled as node updates and"},{"line_number":93,"context_line":"creations will fail because of that."}],"source_content_type":"text/x-rst","patch_set":13,"id":"da6ed579_80ecf1f3","line":90,"in_reply_to":"9a8ffd7b_4004657d","updated":"2016-01-19 10:26:47.000000000","message":"Done","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"346cf37e66c9cde68f5088edac20557f73c26bfc","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"RPC API impact"},{"line_number":106,"context_line":"--------------"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"ironic-api and ironic-conductor should be upgraded together if operator wants"},{"line_number":109,"context_line":"to use this new functionality, as changes should be made to both API and"},{"line_number":110,"context_line":"drivers. If they don\u0027t want to use it, they may be upgraded independently."}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_60096995","line":107,"updated":"2015-11-24 17:37:10.000000000","message":"RPC API is impacted as I have noted above.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"a8f55718a0d96ccb41c84207162145e6c4708359","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"RPC API impact"},{"line_number":106,"context_line":"--------------"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"ironic-api and ironic-conductor should be upgraded together if operator wants"},{"line_number":109,"context_line":"to use this new functionality, as changes should be made to both API and"},{"line_number":110,"context_line":"drivers. If they don\u0027t want to use it, they may be upgraded independently."}],"source_content_type":"text/x-rst","patch_set":13,"id":"da6ed579_60ef7de9","line":107,"in_reply_to":"9a8ffd7b_60096995","updated":"2016-01-19 10:26:47.000000000","message":"Done","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"346cf37e66c9cde68f5088edac20557f73c26bfc","unresolved":false,"context_lines":[{"line_number":217,"context_line":"Testing"},{"line_number":218,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"It can be tested in gate as a separate scenario."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Upgrades and Backwards Compatibility"}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_00fe5d6b","line":220,"updated":"2015-11-24 17:37:10.000000000","message":"I don\u0027t think this needs a separate scenario test. That would duplicate all the other tests from the dsvm* job unnecessarily.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"346cf37e66c9cde68f5088edac20557f73c26bfc","unresolved":false,"context_lines":[{"line_number":217,"context_line":"Testing"},{"line_number":218,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"It can be tested in gate as a separate scenario."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Upgrades and Backwards Compatibility"}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_20036175","line":220,"updated":"2015-11-24 17:37:10.000000000","message":"I think functional tests should be added instead. There\u0027s a lot we can do there, eg:\n* confirm that encryption and decryption methods work when both keys are present\n* confirm that writing works when only the pub key is present\n* confirm that reasonable errors are raised when the priv key is absent (or invalid) and a service tries to decrypt the password\n* confirm that both the \u0027none\u0027 and \u0027db\u0027 provider load\n* confirm that the \u0027db\u0027 provider handles both short and long inputs\n* confirm that the API service does not return an unencrypted password if hte \u0027db\u0027 provider is used\n* .... and you can probably think of more :)","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"a8f55718a0d96ccb41c84207162145e6c4708359","unresolved":false,"context_lines":[{"line_number":217,"context_line":"Testing"},{"line_number":218,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"It can be tested in gate as a separate scenario."},{"line_number":221,"context_line":""},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Upgrades and Backwards Compatibility"}],"source_content_type":"text/x-rst","patch_set":13,"id":"da6ed579_e5b37f98","line":220,"in_reply_to":"9a8ffd7b_20036175","updated":"2016-01-19 10:26:47.000000000","message":"Makes sense, done.","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"346cf37e66c9cde68f5088edac20557f73c26bfc","unresolved":false,"context_lines":[{"line_number":224,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"This change is backwards compatible as it allows storing credentials inside"},{"line_number":227,"context_line":"database."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"Documentation Impact"}],"source_content_type":"text/x-rst","patch_set":13,"id":"9a8ffd7b_c0f8557f","line":227,"updated":"2015-11-24 17:37:10.000000000","message":"If an operator turns on the global option to use a credential store, how will drivers that do not implement support for this feature be handled? Will ironic refuse to run those drivers, log a warning, or what?\n\nWhen introducing the new option, will we default it to ON or OFF? If the default is OFF, how do we plan to enable-it-by-default in the future? (We should be secure by default ....)","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"a8f55718a0d96ccb41c84207162145e6c4708359","unresolved":false,"context_lines":[{"line_number":224,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"This change is backwards compatible as it allows storing credentials inside"},{"line_number":227,"context_line":"database."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"Documentation Impact"}],"source_content_type":"text/x-rst","patch_set":13,"id":"da6ed579_c0e66914","line":227,"in_reply_to":"9a8ffd7b_c0f8557f","updated":"2016-01-19 10:26:47.000000000","message":"For drivers that do not implement this, they don\u0027t have credentials_fields specified, and credentials will be returned from db as-is. I guess it\u0027s better to start with warning so that people have time to update. As for using encryption provider by default or not, I guess it should be turned on when all in-tree drivers are updated to make use of it, wdyt?","commit_id":"617f5187ef34559b9cb6d47791b9ecc78cfeff0d"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"2fa8687c33f8f1b50cc3465fc1fdf5bd0d42ce89","unresolved":false,"context_lines":[{"line_number":32,"context_line":"module specified in Ironic configuration file using entrypoint in"},{"line_number":33,"context_line":"``setup.cfg``."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"If a driver has ``credentials_fields`` field, defined in driver properties, it"},{"line_number":36,"context_line":"will be used to determine which fields should be secured with credentials"},{"line_number":37,"context_line":"storage. It should contain a list of fields from ``driver_info`` to be secured."},{"line_number":38,"context_line":"If there is no such field, credentials will be stored as usual in Ironic"}],"source_content_type":"text/x-rst","patch_set":15,"id":"7af24918_f30af6d0","line":35,"updated":"2016-03-04 09:14:45.000000000","message":"Please provide an example of driver properties with ``credentials_fields``","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"1e5c5ab8091f7ab0cfd4619c8749f1705ca2c9f9","unresolved":false,"context_lines":[{"line_number":32,"context_line":"module specified in Ironic configuration file using entrypoint in"},{"line_number":33,"context_line":"``setup.cfg``."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"If a driver has ``credentials_fields`` field, defined in driver properties, it"},{"line_number":36,"context_line":"will be used to determine which fields should be secured with credentials"},{"line_number":37,"context_line":"storage. It should contain a list of fields from ``driver_info`` to be secured."},{"line_number":38,"context_line":"If there is no such field, credentials will be stored as usual in Ironic"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5aef4532_29a5e803","line":35,"in_reply_to":"7af24918_f30af6d0","updated":"2016-03-07 10:50:14.000000000","message":"Done","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"2fa8687c33f8f1b50cc3465fc1fdf5bd0d42ce89","unresolved":false,"context_lines":[{"line_number":51,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":52,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"},{"line_number":53,"context_line":"conductors having access to private key for decryption. All Ironic conductors"},{"line_number":54,"context_line":"will need access to the private key, path to it will be set in the"},{"line_number":55,"context_line":"configuration file. For this provider, credentials will be cached in"},{"line_number":56,"context_line":"conductors\u0027 memory, so that when BMC is hit multiple times in a row decryption"},{"line_number":57,"context_line":"would not slow down the process, and cached values will be used instead."}],"source_content_type":"text/x-rst","patch_set":15,"id":"7af24918_33b61ef9","line":54,"updated":"2016-03-04 09:14:45.000000000","message":"Please mention this config option in \"Other deployer impact\" section.","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"1e5c5ab8091f7ab0cfd4619c8749f1705ca2c9f9","unresolved":false,"context_lines":[{"line_number":51,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":52,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"},{"line_number":53,"context_line":"conductors having access to private key for decryption. All Ironic conductors"},{"line_number":54,"context_line":"will need access to the private key, path to it will be set in the"},{"line_number":55,"context_line":"configuration file. For this provider, credentials will be cached in"},{"line_number":56,"context_line":"conductors\u0027 memory, so that when BMC is hit multiple times in a row decryption"},{"line_number":57,"context_line":"would not slow down the process, and cached values will be used instead."}],"source_content_type":"text/x-rst","patch_set":15,"id":"5aef4532_290fa8e2","line":54,"in_reply_to":"7af24918_33b61ef9","updated":"2016-03-07 10:50:14.000000000","message":"Done","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"2fa8687c33f8f1b50cc3465fc1fdf5bd0d42ce89","unresolved":false,"context_lines":[{"line_number":59,"context_line":"To allow changing credentials storage provider or keys, migration script will"},{"line_number":60,"context_line":"be implemented so that administrator won\u0027t have to update each node manually."},{"line_number":61,"context_line":"This script will allow loading credentials from currently configured storage to"},{"line_number":62,"context_line":"another storage (including ``none`` storage, which means storing them in DB as"},{"line_number":63,"context_line":"plain text). For further information, see `Other deployer impact`_."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":15,"id":"7af24918_1392024c","line":62,"updated":"2016-03-04 09:14:45.000000000","message":"Looks like separate ``none`` storage provider is not needed, because it doubles previous behavior.","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"1e5c5ab8091f7ab0cfd4619c8749f1705ca2c9f9","unresolved":false,"context_lines":[{"line_number":59,"context_line":"To allow changing credentials storage provider or keys, migration script will"},{"line_number":60,"context_line":"be implemented so that administrator won\u0027t have to update each node manually."},{"line_number":61,"context_line":"This script will allow loading credentials from currently configured storage to"},{"line_number":62,"context_line":"another storage (including ``none`` storage, which means storing them in DB as"},{"line_number":63,"context_line":"plain text). For further information, see `Other deployer impact`_."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5aef4532_a94bb858","line":62,"in_reply_to":"7af24918_1392024c","updated":"2016-03-07 10:50:14.000000000","message":"This is the reason why it\u0027s needed - to preserve current behaviour :) It should be there at least for some time while people switch to using the new provider.","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"2fa8687c33f8f1b50cc3465fc1fdf5bd0d42ce89","unresolved":false,"context_lines":[{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Continue storing plain text credentials in Ironic database."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Data model impact"},{"line_number":71,"context_line":"-----------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"7af24918_b3d50ee6","line":69,"updated":"2016-03-04 09:14:45.000000000","message":"Use solutions like https://www.mysql.com/products/enterprise/encryption.html","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"1e5c5ab8091f7ab0cfd4619c8749f1705ca2c9f9","unresolved":false,"context_lines":[{"line_number":66,"context_line":"------------"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Continue storing plain text credentials in Ironic database."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Data model impact"},{"line_number":71,"context_line":"-----------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"5aef4532_7c9cd069","line":69,"in_reply_to":"7af24918_b3d50ee6","updated":"2016-03-07 10:50:14.000000000","message":"Done","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"2fa8687c33f8f1b50cc3465fc1fdf5bd0d42ce89","unresolved":false,"context_lines":[{"line_number":70,"context_line":"Data model impact"},{"line_number":71,"context_line":"-----------------"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Because RSA is being used to encrypt credentials, length of values that are"},{"line_number":74,"context_line":"encrypted with it should be less than RSA key length (minimal allowed length"},{"line_number":75,"context_line":"is 768 bits) to ensure that data is secured properly. If credential size is"},{"line_number":76,"context_line":"large (for example ``ssh_key_contents`` for SSH drivers), RSA key of bigger"}],"source_content_type":"text/x-rst","patch_set":15,"id":"7af24918_53592a8d","line":73,"updated":"2016-03-04 09:14:45.000000000","message":"This is true only for your \"demo-provider\".","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"1e5c5ab8091f7ab0cfd4619c8749f1705ca2c9f9","unresolved":false,"context_lines":[{"line_number":70,"context_line":"Data model impact"},{"line_number":71,"context_line":"-----------------"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Because RSA is being used to encrypt credentials, length of values that are"},{"line_number":74,"context_line":"encrypted with it should be less than RSA key length (minimal allowed length"},{"line_number":75,"context_line":"is 768 bits) to ensure that data is secured properly. If credential size is"},{"line_number":76,"context_line":"large (for example ``ssh_key_contents`` for SSH drivers), RSA key of bigger"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5aef4532_496f9492","line":73,"in_reply_to":"7af24918_53592a8d","updated":"2016-03-07 10:50:14.000000000","message":"Done","commit_id":"7e7e3f921317a1371926e2c16a146c710e8a331e"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1a0e3f71957ff6b221064d570dfd2f7ce959beae","unresolved":false,"context_lines":[{"line_number":56,"context_line":""},{"line_number":57,"context_line":"As part of this spec\u0027s implementation, credentials provider that encrypts"},{"line_number":58,"context_line":"credentials before saving them to Ironic DB will be added to demonstrate how"},{"line_number":59,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":60,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"},{"line_number":61,"context_line":"conductors having access to private key for decryption. All Ironic conductors"},{"line_number":62,"context_line":"will need access to the private key, path to it will be set in the"}],"source_content_type":"text/x-rst","patch_set":16,"id":"1a122d0e_439c6069","line":59,"range":{"start_line":59,"start_character":21,"end_line":59,"end_character":58},"updated":"2016-04-22 12:17:59.000000000","message":"For operational rule compliance with some organizations, I suspect it might be far better for the type of cryptography to be user selectable.","commit_id":"35dcbb790a5365aab046831c08cd533368ef9a8d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"9faa50f802b34788c4906a0b355ef650b48880d6","unresolved":false,"context_lines":[{"line_number":56,"context_line":""},{"line_number":57,"context_line":"As part of this spec\u0027s implementation, credentials provider that encrypts"},{"line_number":58,"context_line":"credentials before saving them to Ironic DB will be added to demonstrate how"},{"line_number":59,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":60,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"},{"line_number":61,"context_line":"conductors having access to private key for decryption. All Ironic conductors"},{"line_number":62,"context_line":"will need access to the private key, path to it will be set in the"}],"source_content_type":"text/x-rst","patch_set":16,"id":"7aa08908_a7a30db1","line":59,"range":{"start_line":59,"start_character":21,"end_line":59,"end_character":58},"in_reply_to":"1a122d0e_439c6069","updated":"2016-06-14 12:33:42.000000000","message":"Agree, will change to \u0027any public key encryption methods supported by pycrypto\u0027","commit_id":"35dcbb790a5365aab046831c08cd533368ef9a8d"},{"author":{"_account_id":11076,"name":"Shivanand Tendulker","email":"stendulker@gmail.com","username":"stendulker"},"change_message_id":"32b8f1e4f414016edfc0c04f582c10febe1f090b","unresolved":false,"context_lines":[{"line_number":58,"context_line":"credentials before saving them to Ironic DB will be added to demonstrate how"},{"line_number":59,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":60,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"},{"line_number":61,"context_line":"conductors having access to private key for decryption. All Ironic conductors"},{"line_number":62,"context_line":"will need access to the private key, path to it will be set in the"},{"line_number":63,"context_line":"configuration file. For this provider, credentials will be cached in"},{"line_number":64,"context_line":"conductors\u0027 memory, so that when BMC is hit multiple times in a row decryption"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bab6814e_408093c0","line":61,"updated":"2016-05-20 06:23:13.000000000","message":"Having public and private key on the systems is a big security risk.\nWont it be more useful if one were to encrypt the credentials using private key and pass the credentail data as a json blob to the API service, which saves it to the database.\nConductor can use the public key for decryption for the fields that are beig marked as \u0027credentials_fields\u0027 . \n\nSince the changing of BM credentials needs active involvement from user, having an additional step to encrypt the credentials before invoking Ironic API should not be an issue. WDYT?","commit_id":"35dcbb790a5365aab046831c08cd533368ef9a8d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"9faa50f802b34788c4906a0b355ef650b48880d6","unresolved":false,"context_lines":[{"line_number":58,"context_line":"credentials before saving them to Ironic DB will be added to demonstrate how"},{"line_number":59,"context_line":"the flow looks like. It will use RSA public key encryption, with Ironic API"},{"line_number":60,"context_line":"having access to a public key to be able to encrypt credentials, and Ironic"},{"line_number":61,"context_line":"conductors having access to private key for decryption. All Ironic conductors"},{"line_number":62,"context_line":"will need access to the private key, path to it will be set in the"},{"line_number":63,"context_line":"configuration file. For this provider, credentials will be cached in"},{"line_number":64,"context_line":"conductors\u0027 memory, so that when BMC is hit multiple times in a row decryption"}],"source_content_type":"text/x-rst","patch_set":16,"id":"7aa08908_c759f9fe","line":61,"in_reply_to":"bab6814e_408093c0","updated":"2016-06-14 12:33:42.000000000","message":"Well, you\u0027re describing it backwards :) private key is what is used for decryption, that\u0027s why conductor has to store it, as it will have to decrypt them to eg do check of power state.\n\nAs for your suggestion to encrypt credentials before calling the API, I\u0027m not sure, should it be done in client? Everyone should be encrypting the credentials with the same key, so that conductor is able to decrypt, with encryption happening in the API it is easier to enforce.","commit_id":"35dcbb790a5365aab046831c08cd533368ef9a8d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1a0e3f71957ff6b221064d570dfd2f7ce959beae","unresolved":false,"context_lines":[{"line_number":64,"context_line":"conductors\u0027 memory, so that when BMC is hit multiple times in a row decryption"},{"line_number":65,"context_line":"would not slow down the process, and cached values will be used instead."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"To allow changing credentials storage provider or keys, migration script will"},{"line_number":68,"context_line":"be implemented so that administrator won\u0027t have to update each node manually."},{"line_number":69,"context_line":"This script will allow loading credentials from currently configured storage to"},{"line_number":70,"context_line":"another storage (including ``none`` storage, which means storing them in DB as"}],"source_content_type":"text/x-rst","patch_set":16,"id":"1a122d0e_a30454c6","line":67,"range":{"start_line":67,"start_character":56,"end_line":67,"end_character":72},"updated":"2016-04-22 12:17:59.000000000","message":"I kind of have an adverse reaction to migration scripts.  It would seem that by default an operator should be able to update the code, continue to run as they were, and then choose to enable encrypted credentials at which point the conductors should make the appropriate record changes as necessary.","commit_id":"35dcbb790a5365aab046831c08cd533368ef9a8d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"9faa50f802b34788c4906a0b355ef650b48880d6","unresolved":false,"context_lines":[{"line_number":64,"context_line":"conductors\u0027 memory, so that when BMC is hit multiple times in a row decryption"},{"line_number":65,"context_line":"would not slow down the process, and cached values will be used instead."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"To allow changing credentials storage provider or keys, migration script will"},{"line_number":68,"context_line":"be implemented so that administrator won\u0027t have to update each node manually."},{"line_number":69,"context_line":"This script will allow loading credentials from currently configured storage to"},{"line_number":70,"context_line":"another storage (including ``none`` storage, which means storing them in DB as"}],"source_content_type":"text/x-rst","patch_set":16,"id":"7aa08908_c4fbb4bf","line":67,"range":{"start_line":67,"start_character":56,"end_line":67,"end_character":72},"in_reply_to":"1a122d0e_a30454c6","updated":"2016-06-14 12:33:42.000000000","message":"I did mention this possibility in RPC API impact section, will move it here for more visibility.","commit_id":"35dcbb790a5365aab046831c08cd533368ef9a8d"},{"author":{"_account_id":11076,"name":"Shivanand Tendulker","email":"stendulker@gmail.com","username":"stendulker"},"change_message_id":"32b8f1e4f414016edfc0c04f582c10febe1f090b","unresolved":false,"context_lines":[{"line_number":188,"context_line":"conductors. ``credentials_provider`` should be the same across all conductors."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"To use credentials encryption, private RSA key should be shared across all the"},{"line_number":191,"context_line":"conductors. There will be new config option ``private_key_path`` added that"},{"line_number":192,"context_line":"will conatin the path to private RSA key. Also note that PKCS-OAEP scheme is"},{"line_number":193,"context_line":"used for encryption/decryption, which is considered to be secure, hence there"},{"line_number":194,"context_line":"is no need to rotate keys over time, unless the attacker has the actual key."}],"source_content_type":"text/x-rst","patch_set":16,"id":"bab6814e_20a90f25","line":191,"updated":"2016-05-20 06:23:13.000000000","message":"Probably we need to validate  checksum of the key to ensure that the public key is not being compromised to ensure one do not have denial of service attack.","commit_id":"35dcbb790a5365aab046831c08cd533368ef9a8d"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"9faa50f802b34788c4906a0b355ef650b48880d6","unresolved":false,"context_lines":[{"line_number":188,"context_line":"conductors. ``credentials_provider`` should be the same across all conductors."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"To use credentials encryption, private RSA key should be shared across all the"},{"line_number":191,"context_line":"conductors. There will be new config option ``private_key_path`` added that"},{"line_number":192,"context_line":"will conatin the path to private RSA key. Also note that PKCS-OAEP scheme is"},{"line_number":193,"context_line":"used for encryption/decryption, which is considered to be secure, hence there"},{"line_number":194,"context_line":"is no need to rotate keys over time, unless the attacker has the actual key."}],"source_content_type":"text/x-rst","patch_set":16,"id":"7aa08908_a7f66ad4","line":191,"in_reply_to":"bab6814e_20a90f25","updated":"2016-06-14 12:33:42.000000000","message":"Not sure if it is related to DoS (correct public key may also cause DoS :)), but adding a checksum might make sense, e.g. in case when public key is stored on some not-so-well-secured public server.","commit_id":"35dcbb790a5365aab046831c08cd533368ef9a8d"}],"specs/liberty/pluggable-credential-storage.rst":[{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":30,"context_line":"implementations should inherit from. Stevedore will load credentials storage"},{"line_number":31,"context_line":"module specified in Ironic configuration file using entrypoint in setup.cfg."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"If a driver has \u0027credentials_fields\u0027 field, defined in driver properties, it"},{"line_number":34,"context_line":"will be used to determine which fields should be uploaded to credentials"},{"line_number":35,"context_line":"storage. If there is no such field, credentials will be stored as usual in"},{"line_number":36,"context_line":"Ironic database."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_d96c6e0a","line":33,"updated":"2015-05-27 20:14:15.000000000","message":"with the \"credentials_provider\" option noted in the Other deployer impact section is the credentials_fields needed. I would think just setting the credentials_provider would be enough to enable the use of a backend storage system","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":30,"context_line":"implementations should inherit from. Stevedore will load credentials storage"},{"line_number":31,"context_line":"module specified in Ironic configuration file using entrypoint in setup.cfg."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"If a driver has \u0027credentials_fields\u0027 field, defined in driver properties, it"},{"line_number":34,"context_line":"will be used to determine which fields should be uploaded to credentials"},{"line_number":35,"context_line":"storage. If there is no such field, credentials will be stored as usual in"},{"line_number":36,"context_line":"Ironic database."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_55310fec","line":33,"in_reply_to":"7a016987_d96c6e0a","updated":"2015-05-29 16:26:57.000000000","message":"This field in driver properties says which fields are going to be uploaded to storage. The reason behind this is that different drivers have different fields for credentials, e.g. ssh drivers have ssh_username, ssh_password, ssh_key_contents, ssh_key_filename, ipmi have ipmi_username, ipmi_password, etc.\n\nThe other way would be to introduce some convention and change all credentials fields names for all drivers, but I think doing it this way is better.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":38,"context_line":"If a driver has \u0027credentials_fields\u0027 field, and prerequisites for using"},{"line_number":39,"context_line":"credentials storage provider are met, credentials will be uploaded to the"},{"line_number":40,"context_line":"storage in API, before saving them to database. Credentials fields that are set"},{"line_number":41,"context_line":"in HTTP request will be changed to some value (like \u0027***\u0027) and saved to"},{"line_number":42,"context_line":"database to indicate that they were set, so that driver validation would not"},{"line_number":43,"context_line":"have to be changed. A link to credentials that were saved in storage will be"},{"line_number":44,"context_line":"written to driver_internal_info/credentials_id so that it won\u0027t be possible to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_bce9a0b9","line":41,"updated":"2015-05-27 20:14:15.000000000","message":"I think the asterisks here are causing the Jenkins error: you may need to escape some characters. see http://blog.yjl.im/2012/02/restructuredtext-inline-markup-on.html as reference.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":38,"context_line":"If a driver has \u0027credentials_fields\u0027 field, and prerequisites for using"},{"line_number":39,"context_line":"credentials storage provider are met, credentials will be uploaded to the"},{"line_number":40,"context_line":"storage in API, before saving them to database. Credentials fields that are set"},{"line_number":41,"context_line":"in HTTP request will be changed to some value (like \u0027***\u0027) and saved to"},{"line_number":42,"context_line":"database to indicate that they were set, so that driver validation would not"},{"line_number":43,"context_line":"have to be changed. A link to credentials that were saved in storage will be"},{"line_number":44,"context_line":"written to driver_internal_info/credentials_id so that it won\u0027t be possible to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_9597878f","line":41,"in_reply_to":"7a016987_bce9a0b9","updated":"2015-05-29 16:26:57.000000000","message":"Thanks, done.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":47,"context_line":"Whenever driver needs credentials (e.g. to power node on/off, set boot device),"},{"line_number":48,"context_line":"they will be downloaded from credentials storage if"},{"line_number":49,"context_line":"driver_internal_info/credentials_id is specified, if not, they will be read"},{"line_number":50,"context_line":"from database."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"As part of this spec\u0027s implementation, Keystone\u0027s credentials storage will be"},{"line_number":53,"context_line":"added to demonstrate how the flow looks like. To use this storage, Keystone"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_b922d2a1","line":50,"updated":"2015-05-27 20:14:15.000000000","message":"would it be worth cacheing the credentials in driver_internal_info so they don\u0027t need to be read each time.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":47,"context_line":"Whenever driver needs credentials (e.g. to power node on/off, set boot device),"},{"line_number":48,"context_line":"they will be downloaded from credentials storage if"},{"line_number":49,"context_line":"driver_internal_info/credentials_id is specified, if not, they will be read"},{"line_number":50,"context_line":"from database."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"As part of this spec\u0027s implementation, Keystone\u0027s credentials storage will be"},{"line_number":53,"context_line":"added to demonstrate how the flow looks like. To use this storage, Keystone"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_b5f4c3f0","line":50,"in_reply_to":"7a016987_b922d2a1","updated":"2015-05-29 16:26:57.000000000","message":"Cacheing the credentials in driver_internal_info would mean that they will still be stored in DB, added in-memory caching instead.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":76,"context_line":"parameters will remain the same), as uploading, updating and deleting"},{"line_number":77,"context_line":"credentials will be performed in these methods, before credentials are saved to"},{"line_number":78,"context_line":"database. This implies reaching credentials storage in these methods to do such"},{"line_number":79,"context_line":"actions."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"All HTTP response codes for them will remain the same, as there seems to be"},{"line_number":82,"context_line":"only one case when new errors may appear - when there is no credentials data"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_1ce9d41a","line":79,"updated":"2015-05-27 20:14:15.000000000","message":"this will introduce a external synchronous dependency when adding, updating, or deleting a node.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":76,"context_line":"parameters will remain the same), as uploading, updating and deleting"},{"line_number":77,"context_line":"credentials will be performed in these methods, before credentials are saved to"},{"line_number":78,"context_line":"database. This implies reaching credentials storage in these methods to do such"},{"line_number":79,"context_line":"actions."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"All HTTP response codes for them will remain the same, as there seems to be"},{"line_number":82,"context_line":"only one case when new errors may appear - when there is no credentials data"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_2bbe32ae","line":79,"in_reply_to":"7a016987_1ce9d41a","updated":"2015-05-29 16:26:57.000000000","message":"Done","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":81,"context_line":"All HTTP response codes for them will remain the same, as there seems to be"},{"line_number":82,"context_line":"only one case when new errors may appear - when there is no credentials data"},{"line_number":83,"context_line":"specified in the request and credentials should be created or updated, but it"},{"line_number":84,"context_line":"is easily solvable in API."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"API microversion may need to be incremented."},{"line_number":87,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_9cc4a492","line":84,"updated":"2015-05-27 20:14:15.000000000","message":"I believe there are new error cases that will need to handled here. see above comment.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":81,"context_line":"All HTTP response codes for them will remain the same, as there seems to be"},{"line_number":82,"context_line":"only one case when new errors may appear - when there is no credentials data"},{"line_number":83,"context_line":"specified in the request and credentials should be created or updated, but it"},{"line_number":84,"context_line":"is easily solvable in API."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"API microversion may need to be incremented."},{"line_number":87,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_ebe25ad4","line":84,"in_reply_to":"7a016987_9cc4a492","updated":"2015-05-29 16:26:57.000000000","message":"Done","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":108,"context_line":"-----------------"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"All drivers can support this feature after slightly changing their power and"},{"line_number":111,"context_line":"management interfaces to allow fetching credentials from credentials storage"},{"line_number":112,"context_line":"before connecting to BMC. If they won\u0027t do that, they will still be able to"},{"line_number":113,"context_line":"use credentials stored in database, so third-party drivers can be updated"},{"line_number":114,"context_line":"independently from this change"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_dcb33c09","line":111,"updated":"2015-05-27 20:14:15.000000000","message":"can you describe the interface changes.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":108,"context_line":"-----------------"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"All drivers can support this feature after slightly changing their power and"},{"line_number":111,"context_line":"management interfaces to allow fetching credentials from credentials storage"},{"line_number":112,"context_line":"before connecting to BMC. If they won\u0027t do that, they will still be able to"},{"line_number":113,"context_line":"use credentials stored in database, so third-party drivers can be updated"},{"line_number":114,"context_line":"independently from this change"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_152dd745","line":111,"in_reply_to":"7a016987_dcb33c09","updated":"2015-05-29 16:26:57.000000000","message":"The wording is wrong here, interface does not change, you just need to get credentials from e.g. keystone before connecting to bmc, something like:\n\n if credentials_id:\n     provider \u003d credentials_factory.CredentialsFactory().provider\n     credentials \u003d provider.get(credentials_id)\n     password \u003d credentials[\u0027password\u0027]","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":143,"context_line":""},{"line_number":144,"context_line":"Credentials storage will be reached every time Ironic needs to perform some"},{"line_number":145,"context_line":"power or management action. This may lead to significant load on it if many"},{"line_number":146,"context_line":"nodes are being created/updated/deployed at the same time."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Other deployer impact"},{"line_number":149,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_b9a1b248","line":146,"updated":"2015-05-27 20:14:15.000000000","message":"could we cache the values in driver_internal_info?","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":143,"context_line":""},{"line_number":144,"context_line":"Credentials storage will be reached every time Ironic needs to perform some"},{"line_number":145,"context_line":"power or management action. This may lead to significant load on it if many"},{"line_number":146,"context_line":"nodes are being created/updated/deployed at the same time."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Other deployer impact"},{"line_number":149,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_751e4b0d","line":146,"in_reply_to":"7a016987_b9a1b248","updated":"2015-05-29 16:26:57.000000000","message":"ditto as above.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":190,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"Related to blueprint:"},{"line_number":193,"context_line":"https://blueprints.launchpad.net/ironic/+spec/credential-secure-storage"},{"line_number":194,"context_line":""},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"Testing"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_f9c96a26","line":193,"updated":"2015-05-27 20:14:15.000000000","message":"we should note the external credential storage system dependency, like Keystone V3 api.","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":190,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"Related to blueprint:"},{"line_number":193,"context_line":"https://blueprints.launchpad.net/ironic/+spec/credential-secure-storage"},{"line_number":194,"context_line":""},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"Testing"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_753d2b2a","line":193,"in_reply_to":"7a016987_f9c96a26","updated":"2015-05-29 16:26:57.000000000","message":"Done","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":5805,"name":"Chris Krelle","email":"nobodycam@gmail.com","username":"nobodycam"},"change_message_id":"182635adaceb7a2062b8f0ff326aa27706b22f27","unresolved":false,"context_lines":[{"line_number":216,"context_line":"References"},{"line_number":217,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"None"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_d9a46e09","line":219,"updated":"2015-05-27 20:14:15.000000000","message":"it might be worth adding a reference to the review with the code.\nhttps://review.openstack.org/#/c/185074","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"df55d2f3469c45c974fe7b1136547598bcc1701f","unresolved":false,"context_lines":[{"line_number":216,"context_line":"References"},{"line_number":217,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"None"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7a016987_d5d97f57","line":219,"in_reply_to":"7a016987_d9a46e09","updated":"2015-05-29 16:26:57.000000000","message":"Done","commit_id":"b1418766a328cbc7e19954214b389970429b37ed"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"64b3a470d781e541ce137b087a38182249dd1891","unresolved":false,"context_lines":[{"line_number":20,"context_line":"Currently, Ironic stores credentials of all nodes in its database, which is"},{"line_number":21,"context_line":"insecure, because if one gains access to database, he will also have access to"},{"line_number":22,"context_line":"all the baremetal nodes. This task should be delegated to a service that can"},{"line_number":23,"context_line":"handle this task more securely."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5afe65bd_9b127508","line":23,"updated":"2015-06-03 08:27:40.000000000","message":"Hmm. So instead of database safety we rely on configuration file safety? does it mean e.g. that admin user will be able to read credentials from Keystone? Could you elaborate why it is safer?","commit_id":"e6b6c9d7d88f11a0b98f3ef6f59c5873145edbb4"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"f24e855cce597536583de3d41cc86d754def4a18","unresolved":false,"context_lines":[{"line_number":20,"context_line":"Currently, Ironic stores credentials of all nodes in its database, which is"},{"line_number":21,"context_line":"insecure, because if one gains access to database, he will also have access to"},{"line_number":22,"context_line":"all the baremetal nodes. This task should be delegated to a service that can"},{"line_number":23,"context_line":"handle this task more securely."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5afe65bd_444adac6","line":23,"in_reply_to":"5afe65bd_9b127508","updated":"2015-06-03 10:06:11.000000000","message":"Currently if you have access to configuration file and get admin token you can see credentials already. If they are stored in keystone, DB operator (or someone who has access there) won\u0027t be able to see them.\n\nMaybe in keystone access to credentials may be restricted to only ironic user, I\u0027ll look into it and update the spec.","commit_id":"e6b6c9d7d88f11a0b98f3ef6f59c5873145edbb4"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"2a7d2753f9aa8b797a23570bf915951f44896f5e","unresolved":false,"context_lines":[{"line_number":39,"context_line":"If a driver has \u0027credentials_fields\u0027 field, and prerequisites for using"},{"line_number":40,"context_line":"credentials storage provider are met, credentials will be uploaded to the"},{"line_number":41,"context_line":"storage in API, without saving them to database. Credentials fields that are"},{"line_number":42,"context_line":"set in HTTP request will be changed to some value (like \u0027\\***\u0027) and saved to"},{"line_number":43,"context_line":"database to indicate that they were set, so that driver validation would not"},{"line_number":44,"context_line":"have to be changed. A link to credentials that were saved in storage will be"},{"line_number":45,"context_line":"written to driver_internal_info/credentials_id. Also, node UUID will be saved"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3afb71cf_1722bfb9","line":42,"updated":"2015-06-08 18:03:11.000000000","message":"As for your suggestion about writing driver name instead of stars, it can be easily done, but I\u0027m not sure about it as you can see driver name in driver field already, maybe write something like \u0027Stored to %(credentials_provider)s\u0027?","commit_id":"67bdfce62ce7b30569baa69a28e75d1dcab6dc4e"},{"author":{"_account_id":13295,"name":"Mario Villaplana","email":"mario.villaplana@gmail.com","username":"mariojv"},"change_message_id":"1cc7e2e52da22688f59e711f529e49cefd0bb721","unresolved":false,"context_lines":[{"line_number":39,"context_line":"If a driver has \u0027credentials_fields\u0027 field, and prerequisites for using"},{"line_number":40,"context_line":"credentials storage provider are met, credentials will be uploaded to the"},{"line_number":41,"context_line":"storage in API, without saving them to database. Credentials fields that are"},{"line_number":42,"context_line":"set in HTTP request will be changed to some value (like \u0027\\***\u0027) and saved to"},{"line_number":43,"context_line":"database to indicate that they were set, so that driver validation would not"},{"line_number":44,"context_line":"have to be changed. A link to credentials that were saved in storage will be"},{"line_number":45,"context_line":"written to driver_internal_info/credentials_id. Also, node UUID will be saved"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3afb71cf_217b00f7","line":42,"in_reply_to":"3afb71cf_1722bfb9","updated":"2015-06-09 19:00:27.000000000","message":"I actually think that writing the driver name would be a bad idea in a case in which the default credential for a driver would be the driver name. \\*** might be fine, or a value of something like SENTINAL_VAL. Doesn\u0027t really matter what it is as long as the meaning is obvious and it\u0027s not used for anything else. Maybe a null value, but that won\u0027t work if any drivers use a null database value to indicate that there\u0027s no password.","commit_id":"67bdfce62ce7b30569baa69a28e75d1dcab6dc4e"},{"author":{"_account_id":13295,"name":"Mario Villaplana","email":"mario.villaplana@gmail.com","username":"mariojv"},"change_message_id":"1cc7e2e52da22688f59e711f529e49cefd0bb721","unresolved":false,"context_lines":[{"line_number":47,"context_line":"nodes\u0027 credentials."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Whenever driver needs credentials (e.g. to power node on/off, set boot device),"},{"line_number":50,"context_line":"they will be read from in-memory cache, or, if not present there, will be"},{"line_number":51,"context_line":"downloaded from credentials storage if driver_internal_info/credentials_id is"},{"line_number":52,"context_line":"specified, if not, they will be read from database. If node UUID that is saved"},{"line_number":53,"context_line":"in storage with credentials is not equal to UUID of a node they\u0027re used for,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3afb71cf_01f5a455","line":50,"updated":"2015-06-09 19:00:27.000000000","message":"Why should we cache these credentials? Isn\u0027t it just as insecure to use a cache, since the database administrator might be able to get access to the cache just as easily as they can get access to the database?\n\nI suppose that this is OK as long as the database and node are on different machines, but maybe we should specify a bit more about the cache. For example, when does the cache expire, how we manually expire the cache so that we can rotate keys, etc. In any case this isn\u0027t too problematic, since we will still store *some* secret on the node which can probably be used to access other secrets.","commit_id":"67bdfce62ce7b30569baa69a28e75d1dcab6dc4e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"0ed136217a739b81dcdcadf1c78fd01a82b5997a","unresolved":false,"context_lines":[{"line_number":47,"context_line":"nodes\u0027 credentials."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Whenever driver needs credentials (e.g. to power node on/off, set boot device),"},{"line_number":50,"context_line":"they will be read from in-memory cache, or, if not present there, will be"},{"line_number":51,"context_line":"downloaded from credentials storage if driver_internal_info/credentials_id is"},{"line_number":52,"context_line":"specified, if not, they will be read from database. If node UUID that is saved"},{"line_number":53,"context_line":"in storage with credentials is not equal to UUID of a node they\u0027re used for,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3afb71cf_286298d8","line":50,"in_reply_to":"3afb71cf_01f5a455","updated":"2015-06-10 15:52:30.000000000","message":"I don\u0027t think that db admin should be able to dump memory of api process to read the cache anyway.\n\nAs for the cache expiration, at the moment there is no expiration, it\u0027s just a dictionary and credentials are deleted from cache only when node is deleted. Maybe if there will be a need for it, dogpile.cache lib can be used, allowing different cache backends.","commit_id":"67bdfce62ce7b30569baa69a28e75d1dcab6dc4e"},{"author":{"_account_id":7005,"name":"Mark Silence","email":"madasi@gmail.com","username":"madasi"},"change_message_id":"48638423aa15ac85222bc470c32d853a0395ddf6","unresolved":false,"context_lines":[{"line_number":87,"context_line":"* Credentials were deleted from credentials storage, but node that is referring"},{"line_number":88,"context_line":"  to them still exists, this will cause NotFound exception (404);"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* KeystoneFailure (500) if Keystone API endpoint is missing in Ironic"},{"line_number":91,"context_line":"  configuration file, or if Identity API v3 is not enabled, or if cannot"},{"line_number":92,"context_line":"  authorize Keystone API client;"},{"line_number":93,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3afb71cf_9f6ecbff","line":90,"updated":"2015-06-08 17:24:01.000000000","message":"I\u0027d really like to see a different (ideally more specific) error code than a 500 here to differentiate problems talking to keystone from problems authenticating when we can talk to it. I may just be picky about this though.","commit_id":"67bdfce62ce7b30569baa69a28e75d1dcab6dc4e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"0ed136217a739b81dcdcadf1c78fd01a82b5997a","unresolved":false,"context_lines":[{"line_number":87,"context_line":"* Credentials were deleted from credentials storage, but node that is referring"},{"line_number":88,"context_line":"  to them still exists, this will cause NotFound exception (404);"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* KeystoneFailure (500) if Keystone API endpoint is missing in Ironic"},{"line_number":91,"context_line":"  configuration file, or if Identity API v3 is not enabled, or if cannot"},{"line_number":92,"context_line":"  authorize Keystone API client;"},{"line_number":93,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3afb71cf_c8cd4432","line":90,"in_reply_to":"3afb71cf_77d213d4","updated":"2015-06-10 15:52:30.000000000","message":"So it seems that KeystoneUnauthorized should be updated to have code 401.","commit_id":"67bdfce62ce7b30569baa69a28e75d1dcab6dc4e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"2a7d2753f9aa8b797a23570bf915951f44896f5e","unresolved":false,"context_lines":[{"line_number":87,"context_line":"* Credentials were deleted from credentials storage, but node that is referring"},{"line_number":88,"context_line":"  to them still exists, this will cause NotFound exception (404);"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* KeystoneFailure (500) if Keystone API endpoint is missing in Ironic"},{"line_number":91,"context_line":"  configuration file, or if Identity API v3 is not enabled, or if cannot"},{"line_number":92,"context_line":"  authorize Keystone API client;"},{"line_number":93,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3afb71cf_77d213d4","line":90,"in_reply_to":"3afb71cf_9f6ecbff","updated":"2015-06-08 18:03:11.000000000","message":"OK, I will update codes for ironic exceptions.","commit_id":"67bdfce62ce7b30569baa69a28e75d1dcab6dc4e"},{"author":{"_account_id":13295,"name":"Mario Villaplana","email":"mario.villaplana@gmail.com","username":"mariojv"},"change_message_id":"1cc7e2e52da22688f59e711f529e49cefd0bb721","unresolved":false,"context_lines":[{"line_number":149,"context_line":"------------------"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"This change adds additional network traffic because of calls to credentials"},{"line_number":152,"context_line":"storage to fetch, update or delete credentials."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Performance Impact"},{"line_number":155,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3afb71cf_41a5dc44","line":152,"updated":"2015-06-09 19:00:27.000000000","message":"Also makes the scalability of Ironic only as scalable as its credential provider.","commit_id":"67bdfce62ce7b30569baa69a28e75d1dcab6dc4e"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"2a9c26e8ee914577c1673838c0e91fe470c8f88c","unresolved":false,"context_lines":[{"line_number":23,"context_line":"that database operator/administrator won\u0027t be able to read/modify them, thus"},{"line_number":24,"context_line":"enhancing security."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Also some credentials (e.g. for RabbitMQ) are stored in config file as plain"},{"line_number":27,"context_line":"text, so if they are compromised administrator will have to update them on all"},{"line_number":28,"context_line":"conductors. Instead, it can be allowed to be specify those as references to"},{"line_number":29,"context_line":"some credential storage, thus allowing to update them once in storage for all"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3afb71cf_88b39e97","line":26,"updated":"2015-06-11 12:49:29.000000000","message":"I removed config files mentions, as I don\u0027t understand at the moment how to accomplish that, as these values are used not by Ironic but other services (in case of rabbit, by oslo_messaging), so it seems to me this should be done in those other services.","commit_id":"77028a137b275cf0758769850f241b613b89ec1c"},{"author":{"_account_id":13295,"name":"Mario Villaplana","email":"mario.villaplana@gmail.com","username":"mariojv"},"change_message_id":"2500c0feccf2ec8754cd5476c74f2c9b7dc849c1","unresolved":false,"context_lines":[{"line_number":53,"context_line":"nodes\u0027 credentials."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Whenever driver needs credentials (e.g. to power node on/off, set boot device),"},{"line_number":56,"context_line":"they will be read from in-memory cache, or, if not present there, will be"},{"line_number":57,"context_line":"downloaded from credentials storage if driver_internal_info/credentials_id is"},{"line_number":58,"context_line":"specified, if not, they will be read from database. If node UUID that is saved"},{"line_number":59,"context_line":"in storage with credentials is not equal to UUID of a node they\u0027re used for,"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3afb71cf_09110d04","line":56,"updated":"2015-06-10 22:10:43.000000000","message":"Saw your earlier comment about DB admins not getting access to the node and I agree that they won\u0027t be able to access this cache. I was thinking about an environment in which the DB admins also operate other Ironic nodes. In any case, if a user can log into the node, they can retrieve the credentials even if they\u0027re not cached by using something like Keystone credentials stored on the node, so that\u0027s a non-issue.\n\nWhat about rotating keys, though? If a key is changed, we can\u0027t replace it in a running node. There\u0027s no way to clear the cache specified here.\n\nIs the cache specified on a per-driver basis, or is this actually present in the key manager?\n\nI\u0027m fine with it being cached for a particular driver, but if there are other types of credentials that we\u0027d want to allow rotation or revocation of, we want a way to not cache or at least clear the cache so that we can change the key. In other words, is it possible to use the key manager in a situation where we don\u0027t want a cache?","commit_id":"77028a137b275cf0758769850f241b613b89ec1c"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"2a9c26e8ee914577c1673838c0e91fe470c8f88c","unresolved":false,"context_lines":[{"line_number":53,"context_line":"nodes\u0027 credentials."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Whenever driver needs credentials (e.g. to power node on/off, set boot device),"},{"line_number":56,"context_line":"they will be read from in-memory cache, or, if not present there, will be"},{"line_number":57,"context_line":"downloaded from credentials storage if driver_internal_info/credentials_id is"},{"line_number":58,"context_line":"specified, if not, they will be read from database. If node UUID that is saved"},{"line_number":59,"context_line":"in storage with credentials is not equal to UUID of a node they\u0027re used for,"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3afb71cf_28482ab2","line":56,"in_reply_to":"3afb71cf_09110d04","updated":"2015-06-11 12:49:29.000000000","message":"If the secrets rotation is needed, I added possibility to specify link to it in driver_info/credentials_id which is not going to be cached, as these credentials may change any moment. We could try old ones from cache and, if not successful, try to redownload them, but at the moment there is no generic way for drivers to report that authorization failed, and fetching them on any error seems to be bad.","commit_id":"77028a137b275cf0758769850f241b613b89ec1c"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"43a8e60e11c48680848bbb6757f52a4006603137","unresolved":false,"context_lines":[{"line_number":236,"context_line":""},{"line_number":237,"context_line":"Upgrades and Backwards Compatibility"},{"line_number":238,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"This change is backwards compatible as it allows storing credentials inside"},{"line_number":241,"context_line":"database."},{"line_number":242,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"1af86dd1_f56c160a","line":239,"updated":"2015-06-12 08:32:40.000000000","message":"1) Upgrade script is needed for credentials which already stored in the db. Otherwise user should redefine credentials for all nodes. 2) What should we do if user wants to disable this option (provider -\u003e none)?","commit_id":"c4fba72bfee679e3f4598ed784b1044a3dc2caa3"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"7e4e415bcbeb7b9c334aa47b49a8f39847b2d9ff","unresolved":false,"context_lines":[{"line_number":236,"context_line":""},{"line_number":237,"context_line":"Upgrades and Backwards Compatibility"},{"line_number":238,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"This change is backwards compatible as it allows storing credentials inside"},{"line_number":241,"context_line":"database."},{"line_number":242,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fa32b979_20cce2b9","line":239,"in_reply_to":"1af86dd1_a773064d","updated":"2015-06-18 17:21:44.000000000","message":"I think there is also a case when credentials should be moved from one storage to another, so added this to Proposed change section (as it seems that Upgrades section is about upgrading only the actual code).","commit_id":"c4fba72bfee679e3f4598ed784b1044a3dc2caa3"},{"author":{"_account_id":13295,"name":"Mario Villaplana","email":"mario.villaplana@gmail.com","username":"mariojv"},"change_message_id":"d8db5f8e6ec359937538ab4a041d0c7728c6394c","unresolved":false,"context_lines":[{"line_number":236,"context_line":""},{"line_number":237,"context_line":"Upgrades and Backwards Compatibility"},{"line_number":238,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"This change is backwards compatible as it allows storing credentials inside"},{"line_number":241,"context_line":"database."},{"line_number":242,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"1af86dd1_a773064d","line":239,"in_reply_to":"1af86dd1_f56c160a","updated":"2015-06-12 15:32:36.000000000","message":"I think the process for using this feature can be covered in the documentation. \n\nIf the credentials_provider info is \"none\" in the config, which is the default value as described under \"other deployer impact\", then Ironic defaults to using the credentials stored in the DB. So 2 is already covered in the spec.\n\nAs for 1), an upgrade script would be nice for automating updating credentials, but it\u0027s not strictly necessary for backwards compatibility given that default behavior is to use credentials already stored in the DB.","commit_id":"c4fba72bfee679e3f4598ed784b1044a3dc2caa3"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"99a3d7b034a134820acd9d5d64c9340ac1bb8013","unresolved":false,"context_lines":[{"line_number":43,"context_line":"Also, node UUID will be saved in credentials to prevent someone who has direct"},{"line_number":44,"context_line":"access to database to swap nodes\u0027 credentials."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"To enable easier rotation of credentials across multiple nodes, it will be also"},{"line_number":47,"context_line":"allowed to specify `credentials_id` in `driver_info` manually, so that multiple"},{"line_number":48,"context_line":"nodes can share the same credentials and they can be updated once in"},{"line_number":49,"context_line":"credentials storage, affecting all nodes at once. Because Ironic does not"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_d484d2d3","line":46,"updated":"2015-06-18 20:58:16.000000000","message":"this paragraph seems to directly contradict the previous sentence.\n\nIf node UUID is saved in credential storage \"to prevent .. swapping nodes\u0027 credentials\", how can I share credentials across multiple nodes???","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"5e6e2dac0bdedd37cbcd1ac2d1ee00bb62b89e70","unresolved":false,"context_lines":[{"line_number":43,"context_line":"Also, node UUID will be saved in credentials to prevent someone who has direct"},{"line_number":44,"context_line":"access to database to swap nodes\u0027 credentials."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"To enable easier rotation of credentials across multiple nodes, it will be also"},{"line_number":47,"context_line":"allowed to specify `credentials_id` in `driver_info` manually, so that multiple"},{"line_number":48,"context_line":"nodes can share the same credentials and they can be updated once in"},{"line_number":49,"context_line":"credentials storage, affecting all nodes at once. Because Ironic does not"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_1cba4dc1","line":46,"in_reply_to":"fa32b979_d484d2d3","updated":"2015-06-19 11:33:27.000000000","message":"There are two possibilities:\n\n* to include credentials_id created manually in driver_info. Then it is not required\n  to have node_uuid in these credentials and may be used across multiple nodes,\n  so that can make updating credentials across nodes easier;\n\n* to write actual credentials in driver_info, then they will be uploaded to storage\n  along with node_uuid and their id will be saved to driver_internal_info.\n\nIf first case is not common then I can delete it, wdyt?","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":7711,"name":"Yuriy Zveryanskyy","email":"yzveryanskyy@mirantis.com","username":"yuriyz"},"change_message_id":"225756a4f3d42c6ecb5422f658a0fa8e6461fd67","unresolved":false,"context_lines":[{"line_number":45,"context_line":""},{"line_number":46,"context_line":"To enable easier rotation of credentials across multiple nodes, it will be also"},{"line_number":47,"context_line":"allowed to specify `credentials_id` in `driver_info` manually, so that multiple"},{"line_number":48,"context_line":"nodes can share the same credentials and they can be updated once in"},{"line_number":49,"context_line":"credentials storage, affecting all nodes at once. Because Ironic does not"},{"line_number":50,"context_line":"manage these credentials, they should not be cached as they can be changed by"},{"line_number":51,"context_line":"administrator any time."}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_70d8ae1e","line":48,"updated":"2015-06-24 12:03:41.000000000","message":"Not sure that it\u0027s a good feature, 1) Ironic does not have a feature like \"options for a group of nodes\" 2) These credentials can not be cached in an efficient way.","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"99a3d7b034a134820acd9d5d64c9340ac1bb8013","unresolved":false,"context_lines":[{"line_number":73,"context_line":"Alternatives"},{"line_number":74,"context_line":"------------"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Continue storing credentials in Ironic database."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Data model impact"},{"line_number":79,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_7470660b","line":76,"updated":"2015-06-18 20:58:16.000000000","message":"Another alternative: add option to ironic-conductor to store all keys in the database encrypted. The encryption key would need to be accessible by each ironic-conductor (though a public key could be exposed elsewhere, to allow clients to encrypt credentials before uploading them). In this way, the credentials would be encrypted at rest, and someone with DB access (or access to a copy of the DB data) would not be able to read the credentials. Such an approach does not require an external service to store the credentials, however, and therefor has several benefits over the approach proposed here: it follows standard encrypt-at-rest approach, does not increase deployment complexity by requiring add\u0027l services and add\u0027l data stores, and does not decrease conductor performance by requiring every BMC access to make an extra REST API call to fetch credentials from external service.","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"5e6e2dac0bdedd37cbcd1ac2d1ee00bb62b89e70","unresolved":false,"context_lines":[{"line_number":73,"context_line":"Alternatives"},{"line_number":74,"context_line":"------------"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Continue storing credentials in Ironic database."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Data model impact"},{"line_number":79,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_e9d486be","line":76,"in_reply_to":"fa32b979_7470660b","updated":"2015-06-19 11:33:27.000000000","message":"Hmm, it is a good alternative, but it seems that this can be implemented as a class inherited from credentials storage base class.\n\nIn case of using ironic with openstack, keystone is already present, so there is no additional installation/configuration of external services. Also, external service may have some additional functionality, e.g. keystone allows different backends for credentials storage.","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"99a3d7b034a134820acd9d5d64c9340ac1bb8013","unresolved":false,"context_lines":[{"line_number":135,"context_line":""},{"line_number":136,"context_line":"All drivers can support this feature after slightly changing:"},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"* their BMC connection methods to allow fetching credentials from cache or"},{"line_number":139,"context_line":"  credentials storage before connecting to BMC;"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"* when `driver_info/credentials_id` is specified it can not be determined which"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_946baa1d","line":138,"updated":"2015-06-18 20:58:16.000000000","message":"Drivers do not fetch data from database or other source -- the ConductorManager passes a Task object to the driver, which contains one or more complete Node objects. This Node object must continue to contain the required authentication information, and ideally, it should contain it in exactly the same way it does today -- on driver-specific keys in the node.driver_info dict.\n\nThis change does not require any change in the driver code to use it. The ConductorManager should transparently handle both retrieving and updating the Node object to include the credentials, if necessary.","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"5e6e2dac0bdedd37cbcd1ac2d1ee00bb62b89e70","unresolved":false,"context_lines":[{"line_number":135,"context_line":""},{"line_number":136,"context_line":"All drivers can support this feature after slightly changing:"},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"* their BMC connection methods to allow fetching credentials from cache or"},{"line_number":139,"context_line":"  credentials storage before connecting to BMC;"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"* when `driver_info/credentials_id` is specified it can not be determined which"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_493332f7","line":138,"in_reply_to":"fa32b979_946baa1d","updated":"2015-06-19 11:33:27.000000000","message":"But then, if driver does node.save they will appear in DB? Seems that power and management should not do this, but e.g. AMT management does it for set_boot_device.","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"99a3d7b034a134820acd9d5d64c9340ac1bb8013","unresolved":false,"context_lines":[{"line_number":171,"context_line":""},{"line_number":172,"context_line":"If credentials storage is used, additional network traffic appears because of"},{"line_number":173,"context_line":"calls to credentials storage to fetch, update or delete credentials. Also in"},{"line_number":174,"context_line":"this case Ironic will depend on scalability of credentials storage."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"Performance Impact"},{"line_number":177,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_34765e06","line":174,"updated":"2015-06-18 20:58:16.000000000","message":"And every call to BMC will be delayed by the RTT of a query to this service","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"5e6e2dac0bdedd37cbcd1ac2d1ee00bb62b89e70","unresolved":false,"context_lines":[{"line_number":171,"context_line":""},{"line_number":172,"context_line":"If credentials storage is used, additional network traffic appears because of"},{"line_number":173,"context_line":"calls to credentials storage to fetch, update or delete credentials. Also in"},{"line_number":174,"context_line":"this case Ironic will depend on scalability of credentials storage."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"Performance Impact"},{"line_number":177,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_9cf41d88","line":174,"in_reply_to":"fa32b979_34765e06","updated":"2015-06-19 11:33:27.000000000","message":"Only If not present in cache. Will add it.","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":2889,"name":"Aeva Black","email":"aeva.online@gmail.com","username":"tenbrae"},"change_message_id":"99a3d7b034a134820acd9d5d64c9340ac1bb8013","unresolved":false,"context_lines":[{"line_number":180,"context_line":"created/updated/deleted and when Ironic needs to perform some power or"},{"line_number":181,"context_line":"management action and credentials are not present in cache. This may lead to"},{"line_number":182,"context_line":"significant load on credentials storage if many nodes are being"},{"line_number":183,"context_line":"created, updated or deleted at the same time."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other deployer impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_5471a20a","line":183,"updated":"2015-06-18 20:58:16.000000000","message":"Where is caching discussed? What keeps the cache secure?\n\nIt seems like ironic-conductor will need to make an API call to fetch the credentials every time it needs to auth to the BMC -- and this happens *A LOT*.","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"5e6e2dac0bdedd37cbcd1ac2d1ee00bb62b89e70","unresolved":false,"context_lines":[{"line_number":180,"context_line":"created/updated/deleted and when Ironic needs to perform some power or"},{"line_number":181,"context_line":"management action and credentials are not present in cache. This may lead to"},{"line_number":182,"context_line":"significant load on credentials storage if many nodes are being"},{"line_number":183,"context_line":"created, updated or deleted at the same time."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other deployer impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa32b979_3c763107","line":183,"in_reply_to":"fa32b979_5471a20a","updated":"2015-06-19 11:33:27.000000000","message":"I will add more info about cache to proposed change. At the moment cache is just a dictionary stored in memory. Every time credentials are added to a node, or updated in node, new values are written to both storage and in-memory cache. When there is a need to fetch credentials, cache is searched for first. If not there (conductor was restarted) they are downloaded.\n\nIf credentials that are created by hand are used (such possibility is in proposed change, ID of these credentials should be written to driver_info/credentials_id by administrator) then they are not cached as the purpose of allowing them was to enable changing credentials at any time so that all nodes can see this change. Again, if it is not a common (or not desired) case I can remove this and this way credentials will be always cached.","commit_id":"79569f3646447d7e1afc7be1c7c1eab810650def"},{"author":{"_account_id":13719,"name":"Naohiro Tamura","email":"naohirot.openstack@gmail.com","username":"nao"},"change_message_id":"e6606ce0035ece659e04551b0a82b6bb50416feb","unresolved":false,"context_lines":[{"line_number":44,"context_line":""},{"line_number":45,"context_line":"This cache (if present) is going to be updated whenever credentials are"},{"line_number":46,"context_line":"changed. A link to credentials that were saved in storage will be written to"},{"line_number":47,"context_line":"`driver_internal_info/credentials_id`. Also, node UUID will be saved in"},{"line_number":48,"context_line":"credentials to prevent someone who has direct access to database to swap"},{"line_number":49,"context_line":"nodes\u0027 credentials."},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"9a41bdd9_8bb787d7","line":47,"updated":"2015-07-14 09:22:24.000000000","message":"The following code is copied from your answer in Patch #1.\n\nIf driver_internal_info/credentials_id is saved Ironic DB, is it possible for the database operator/administrator to do the steps in the following code, isn\u0027t it?\n\nif credentials_id:\n     provider \u003d credentials_factory.CredentialsFactory().provider\n     credentials \u003d provider.get(credentials_id)\n     password \u003d credentials[\u0027password\u0027]\n\nAs far as some kind of seed data is saved in the Ironic DB, doesn\u0027t it increase the scrutiny fundamentally?\n\nMy point is not object to this proposal. It\u0027s great if we can increase security.\n\nMy point is that this spec should convince reader logically and plainly why this proposed change can increase the security.","commit_id":"6f62c1c00a3213bf426d5a86c8aa6f304c16f2d9"},{"author":{"_account_id":13719,"name":"Naohiro Tamura","email":"naohirot.openstack@gmail.com","username":"nao"},"change_message_id":"b32de836b7331d4ff732e734a91d48aec2e724c9","unresolved":false,"context_lines":[{"line_number":44,"context_line":""},{"line_number":45,"context_line":"This cache (if present) is going to be updated whenever credentials are"},{"line_number":46,"context_line":"changed. A link to credentials that were saved in storage will be written to"},{"line_number":47,"context_line":"`driver_internal_info/credentials_id`. Also, node UUID will be saved in"},{"line_number":48,"context_line":"credentials to prevent someone who has direct access to database to swap"},{"line_number":49,"context_line":"nodes\u0027 credentials."},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"fa1b9901_f8589f58","line":47,"in_reply_to":"1a4dcd0f_a892db49","updated":"2015-08-18 09:22:40.000000000","message":"Vladyslav,\n\nThanks for the reply.\n\nStill I haven\u0027t fully understood that what kind of data is saved in the db.\n\nIn the Patch Set 9, however, Devanada suggested to use Asymmetric encryption, public/private key, that means I assumed that the current spec uses symmetric encryption.\n\nThe point of my previous comment is that security does not increase　even if newly introduced encoded data (credentials_id?) is saved in the db as far as it is encoded by symmetric encryption algorithm.\n\nPython is a script language, all source code can be readable. So I believe that the db administrator can write a script by looking at the Ironic source code to get the secret.\n\nBest regards,\nNaohiro.","commit_id":"6f62c1c00a3213bf426d5a86c8aa6f304c16f2d9"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"3ce2567f602cd9c7a66ef694038fe0278af8c988","unresolved":false,"context_lines":[{"line_number":44,"context_line":""},{"line_number":45,"context_line":"This cache (if present) is going to be updated whenever credentials are"},{"line_number":46,"context_line":"changed. A link to credentials that were saved in storage will be written to"},{"line_number":47,"context_line":"`driver_internal_info/credentials_id`. Also, node UUID will be saved in"},{"line_number":48,"context_line":"credentials to prevent someone who has direct access to database to swap"},{"line_number":49,"context_line":"nodes\u0027 credentials."},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"1a4dcd0f_a892db49","line":47,"in_reply_to":"9a41bdd9_8bb787d7","updated":"2015-08-14 08:37:31.000000000","message":"IIUC that would mean that DB admin can change conductor code, which should not be the case. If he can do this then he can just look at CONF.keystone_authtoken.admin_user and CONF.keystone_authtoken.admin_password and do whatever he wants.","commit_id":"6f62c1c00a3213bf426d5a86c8aa6f304c16f2d9"},{"author":{"_account_id":12356,"name":"Vladyslav Drok","email":"vdrok@mirantis.com","username":"vdrok"},"change_message_id":"ab5867e0018ef91159106968e408b5938f074e01","unresolved":false,"context_lines":[{"line_number":44,"context_line":""},{"line_number":45,"context_line":"This cache (if present) is going to be updated whenever credentials are"},{"line_number":46,"context_line":"changed. A link to credentials that were saved in storage will be written to"},{"line_number":47,"context_line":"`driver_internal_info/credentials_id`. Also, node UUID will be saved in"},{"line_number":48,"context_line":"credentials to prevent someone who has direct access to database to swap"},{"line_number":49,"context_line":"nodes\u0027 credentials."},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"fa1b9901_3be79512","line":47,"in_reply_to":"fa1b9901_f8589f58","updated":"2015-08-19 20:26:53.000000000","message":"Hi Naohiro.\n\nWhen using keystone, credentials are not encrypted, they are passed to keystone. credentials_id is the field that contains UUID of credentials in keystone. Looking at the source code won\u0027t help, as it is also required to have admin credentials to download node credentials from keystone (you can take a look at WIP implementation here https://review.openstack.org/#/c/185074/5/ironic/common/keystone.py - to download node credentials you need to get credentials manager, for that you need to initialize keystone client, and for that you need to have admin_password or admin_token).","commit_id":"6f62c1c00a3213bf426d5a86c8aa6f304c16f2d9"}]}