New Question
0

Password options for horizon

asked 2016-03-18 19:01:41 +0200

benray gravatar image

Hi folks,

Thanks for all your work on bringing cloudbase-init to Windows. We are starting to use it with OpenStack to deploy isolated short-lived VMware test machines for a support community. I have a few password account/related questions to add to what's already been covered here.

Q: Is it possible to deliver admin pass through horizon via configdrive and then post to metadata with httpservice? Currently we can't get it to post but it does get applied to the VM. Looks like httpservice is ignored once configdrive is discovered.

Q: Is it possible to deliver admin pass through horizon via httpservice? Currently we can only get a random password with this method. Booting via cmd line with '--meta admin_pass=' works but our users will be using horizon. Maybe a post-creation option could work too?

Q: How difficult would it be to keep the Administrator account from being disabled after sysprep?

thank you!

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
0

answered 2016-03-23 16:32:46 +0200

benray gravatar image

Adrian,

Thanks for your response. This is an isolated environment for shared temporary test machines where speed and convenience are more desired by users than security. I did find an easy way to re-enable the local Administrator account via userdata script so thank you for supporting that.

Currently I am using 'cansetpassword' in horizon and can successfully deploy instances with configdrive and httpservice (by changing the order in metadata_services). However I'm running into these limitations:

  1. If configdrive is used, the password is properly taken from horizon and applied to the VM but is not posted to the metadata service (I believe this is expected) and thus cannot be retrieved if forgotten short of grepping the configdrive iso by an admin. If the user does not select a password in horizon a random one will be used which again cannot be retrieved from horizon.

  2. If httpserver is used, the user gets a random password which is properly posted to the metadata and can be retrieved with the keypair. Unfortunately if the user adds a password in horizon a random one is still used ... the desired password does not get applied to the VM. Interesting though the desired password will be in the configdrive file.

  3. If httpserver is used and the instance is booted on the command line with "--meta admin_pass=<password>" we get the desired behavior. The password input by the user is applied to the VM and is posted to the metadata meaning it can be retrieved & decrypted with the key. However end users cannot use this method as they are using horizon.

I understand #1 and #3 are probably working normally. So my question is on #2; when using httpserver, should cloudbase-init use the admin pass input to horizon or is it properly generating a random password?

Thanks again for your feedback

edit flag offensive delete link more
0

answered 2016-03-23 02:36:52 +0200

avladu gravatar image

updated 2016-03-23 02:48:42 +0200

Hello,

Q1: For the moment, cloudbase-init does not support multiple metadata sources at the same time. It checks if a metadata provider is available, and if available, it will not check for the existence of another one. The default order is configurable though. Here you have an example of a configuration file, with configuration option "metadata_services": http://cloudbase-init.readthedocs.org... . An example configuration:

metadata_services=cloudbaseinit.metadata.services.configdrive.ConfigDriveService,
              cloudbaseinit.metadata.services.httpservice.HttpService,
              cloudbaseinit.metadata.services.ec2service.EC2Service,
              cloudbaseinit.metadata.services.maasservice.MaaSHttpService

Q2: There is an option to set the admin pass using horizon. An example of localsettings configuration: https://github.com/openstack/horizon/...dashboard/local/localsettings.py.example . In Horizon's localsettings, you can set the following key

OPENSTACK_HYPERVISOR_FEATURES = {
…
"can_set_password": True,
}

Q3. Although is not recommended due to security issues, you can use the Administrator user instead of the Admin user. In the link of the example configuration file, you can find an example of where to change the default user name that cloudbase-init will use

username=Admin
groups=Administrators

Thanks, Adrian.

edit flag offensive delete link more

Comments

I have checked the OpenStack Nova and Horizon code and password field from Horizon applies only if you have the configdrive metadata service, in case of Windows instances, but the configdrive does not allow for password retrieval, as you already pointed out.

avladu gravatar imageavladu ( 2016-03-23 20:41:15 +0200 )edit

On the bright side, the command line option for nova boot "--meta admin_pass=<pass>" feature was implemented in Horizon Mitaka https://review.openstack.org/#/c/232234/ , allowing the option to set metadata key values.

avladu gravatar imageavladu ( 2016-03-23 20:43:59 +0200 )edit

Yes - thanks for underscoring these points. Have you been able to get the horizon-set password using httpserver datasource?

benray gravatar imagebenray ( 2016-03-23 23:49:00 +0200 )edit

The libvirt driver does not provide a way for http metadata source to access the password, the password is injected only for configdrive. The solution I found is to use mitaka horizon version, and set the password as metadata key-value(admin_pass - <pass>).

avladu gravatar imageavladu ( 2016-03-24 13:41:18 +0200 )edit

Got it ... so basically it's a limitation and you were able to get around it with the metadata key. This helps me understand the behavior we've seen. Thanks for the explanation! I think we will go back to configdrive :)

benray gravatar imagebenray ( 2016-03-24 18:46:39 +0200 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-03-18 19:01:41 +0200

Seen: 1,790 times

Last updated: Mar 23 '16