Secret Consumers
Spec for implementing Consumers API on Secrets. Story: 2005770 Task: 33487 APIImpact Change-Id: I0167ce2bd8c6cee82aeb1ec332c09b77efe2eab3
This commit is contained in:
parent
5fc1790899
commit
69ac31c535
|
@ -6,10 +6,7 @@ Barbican Project Specifications
|
||||||
|
|
||||||
Train approved specs:
|
Train approved specs:
|
||||||
|
|
||||||
..
|
.. toctree::
|
||||||
disabled to not break builds, once first spec is added,
|
|
||||||
this needs enabling.
|
|
||||||
.. toctree::
|
|
||||||
:glob:
|
:glob:
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,362 @@
|
||||||
|
..
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
================
|
||||||
|
Secret Consumers
|
||||||
|
================
|
||||||
|
|
||||||
|
https://storyboard.openstack.org/#!/story/2005770
|
||||||
|
|
||||||
|
This spec proposes an addition to the Barbican Secrets API to allow
|
||||||
|
other OpenStack projects to add references to individual Secrets when
|
||||||
|
those secrets are being used by them.
|
||||||
|
|
||||||
|
This spec also proposes a change to both the Python and CLI clients in
|
||||||
|
python-barbicanclient in how they handle the deletion of secrets.
|
||||||
|
Clients would be changed such that deleting a secret will result in an
|
||||||
|
error when they are still being consumed by another project unless a `force`
|
||||||
|
parameter is provided.
|
||||||
|
|
||||||
|
This spec is part of a larger effort to provide Encrypted Images
|
||||||
|
to OpenStack clouds.
|
||||||
|
|
||||||
|
Problem Description
|
||||||
|
===================
|
||||||
|
|
||||||
|
Other OpenStack projects would like to make use of an end user's secrets
|
||||||
|
e.g. A Secret that contains an encryption key for Image Encryption.
|
||||||
|
But there is currently no way for those projects to let the user know
|
||||||
|
that they are using the Secret. This lack of awareness may lead to errors
|
||||||
|
if the user deletes a Secret that is still in use by other projects.
|
||||||
|
|
||||||
|
On the other hand, users should be allowed to delete secrets whenever they
|
||||||
|
want, so a Secret being used by other projects should not prevent deletion.
|
||||||
|
|
||||||
|
Proposed Change
|
||||||
|
===============
|
||||||
|
|
||||||
|
Add a new API to Secrets to register Secret Consumers (similar, but not
|
||||||
|
identical to the Containers Consumer API [1]).
|
||||||
|
|
||||||
|
With this new API, other OpenStack projects would register as a consumer
|
||||||
|
of a secret by sending a request to Barbican. Barbican stores the service
|
||||||
|
type of the requesting service, as well as both the resource type and
|
||||||
|
resource ID of the resource that is using the Secret.
|
||||||
|
|
||||||
|
See REST API Impact below for details of the API changes.
|
||||||
|
|
||||||
|
Clients to barbican would change the semantics for deleting secrets by
|
||||||
|
returning an error when trying to delete a secret if that secret has one
|
||||||
|
or more consumers. Clients will also accept an additional boolean parameter
|
||||||
|
to delete a secret regardless of how many consumers it has.
|
||||||
|
|
||||||
|
See Python and Command Line Client Impact below for details of the client
|
||||||
|
changes.
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
------------
|
||||||
|
|
||||||
|
One alternative would be to implement Secret Consumers just like Container
|
||||||
|
Consumers, which uses a URL instead of the consuming entity type and ID.
|
||||||
|
|
||||||
|
Another alternative approach that was considered was to have each project
|
||||||
|
clone the secret when they need to use it. This alternative has some
|
||||||
|
downsides, however. For one, an end user may not be able to delete
|
||||||
|
those copies.
|
||||||
|
|
||||||
|
Data model impact
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
A new model and associated data table will need to be added. For example,
|
||||||
|
a new class SecretConsumerMetadatum with a secret_consumer_metadata table.
|
||||||
|
|
||||||
|
The new class will have references to both the secret_id as well as the
|
||||||
|
project_id which owns the secret.
|
||||||
|
|
||||||
|
REST API impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
POST /v1/secrets/{secret_id}/consumers
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Add a new resource as a consumer to a secret.
|
||||||
|
|
||||||
|
Body Parameters
|
||||||
|
+++++++++++++++
|
||||||
|
|
||||||
|
+---------------------+--------+--------------------------------------------------------+
|
||||||
|
| Name | Type | Description |
|
||||||
|
+---------------------+--------+--------------------------------------------------------+
|
||||||
|
| service | string | Consumer's OpenStack service type as shown in |
|
||||||
|
| | | https://service-types.openstack.org/service-types.json |
|
||||||
|
+---------------------+--------+--------------------------------------------------------+
|
||||||
|
| resource_type | string | Name of the resource type using the secret |
|
||||||
|
| (or resource_path?) | | e.g. "images" or "lbaas/loadbalancers" |
|
||||||
|
+---------------------+--------+--------------------------------------------------------+
|
||||||
|
| resource_id | string | Unique identifier for the resource using this secret. |
|
||||||
|
+---------------------+--------+--------------------------------------------------------+
|
||||||
|
|
||||||
|
Barbican will consider the resource_id to be a unique consumer. This assumes
|
||||||
|
that resource_id is a UUID, and that duplicate IDs for different projects
|
||||||
|
is not likely to ever happen in a single cloud.
|
||||||
|
|
||||||
|
resource_type should be meaningful to the individual projects, and should
|
||||||
|
be used to identify the resource in the consuming service. For example,
|
||||||
|
Glance could use "images" as the value of the resource type to indicate that
|
||||||
|
the resrouce_id refers to an image.
|
||||||
|
|
||||||
|
Request
|
||||||
|
+++++++
|
||||||
|
|
||||||
|
POST /v1/secrets/{secret_id}/consumers
|
||||||
|
Headers:
|
||||||
|
X-Auth-Token: {token}
|
||||||
|
X-Content-Type: application/json
|
||||||
|
|
||||||
|
{
|
||||||
|
"service": "image",
|
||||||
|
"resource_type": "images",
|
||||||
|
"resource_id": "{image_id}"
|
||||||
|
}
|
||||||
|
|
||||||
|
Responses
|
||||||
|
+++++++++
|
||||||
|
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| Code | Description |
|
||||||
|
+======+====================================================================+
|
||||||
|
| 200 | OK |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| 401 | Unauthorized - X-Auth-Token is invalid |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| 403 | Forbidden - X-Auth-Token is valid, but the associated project does |
|
||||||
|
| | not have the appropriate role/scope |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
|
||||||
|
GET /v1/secrets/{secret_id}/consumers
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
List consumers for a particular Secret.
|
||||||
|
|
||||||
|
Parameters
|
||||||
|
++++++++++
|
||||||
|
|
||||||
|
+---------+---------+---------+-------------------------------------------------+
|
||||||
|
| Name | Type | Default | Description |
|
||||||
|
+=========+=========+=========+=================================================+
|
||||||
|
| offset | integer | 0 | Offset to start consumer response |
|
||||||
|
+---------+---------+---------+-------------------------------------------------+
|
||||||
|
| limit | integer | 10 | Number of consumer entries returned in response |
|
||||||
|
+---------+---------+---------+-------------------------------------------------+
|
||||||
|
| service | string | None | Filter by service type |
|
||||||
|
+---------+---------+---------+-------------------------------------------------+
|
||||||
|
|
||||||
|
Request
|
||||||
|
+++++++
|
||||||
|
|
||||||
|
GET /v1/secrets/{secret_id}/consumers
|
||||||
|
Headers:
|
||||||
|
X-Auth-Token: {token}
|
||||||
|
|
||||||
|
OK Response
|
||||||
|
+++++++++++
|
||||||
|
|
||||||
|
200 OK
|
||||||
|
|
||||||
|
{
|
||||||
|
"total": 1,
|
||||||
|
"consumers": [
|
||||||
|
{
|
||||||
|
"service": "image",
|
||||||
|
"resource_type": "images",
|
||||||
|
"resource_id" : "{image_id}"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
Other Responses
|
||||||
|
+++++++++++++++
|
||||||
|
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| Code | Description |
|
||||||
|
+======+====================================================================+
|
||||||
|
| 401 | Unauthorized - X-Auth-Token is invalid |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| 403 | Forbidden - X-Auth-Token is valid, but the associated project does |
|
||||||
|
| | not have the appropriate role/scope |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
|
||||||
|
DELETE /v1/secrets/{secret_id}/consumers/{resource_id}
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Delete a consumer. ie. The resource is being deleted and it longer needs
|
||||||
|
to access this secret.
|
||||||
|
|
||||||
|
Request
|
||||||
|
+++++++
|
||||||
|
|
||||||
|
DELETE v1/secrets/{secret_id}/consumers/{resource_id}
|
||||||
|
|
||||||
|
Responses
|
||||||
|
+++++++++
|
||||||
|
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| Code | Description |
|
||||||
|
+======+====================================================================+
|
||||||
|
| 200 | OK |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| 401 | Unauthorized - X-Auth-Token is invalid |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| 403 | Forbidden - X-Auth-Token is valid, but the associated project does |
|
||||||
|
| | not have the appropriate role/scope |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
| 404 | Not Found - Consumer record for given resource_id was not found. |
|
||||||
|
+------+--------------------------------------------------------------------+
|
||||||
|
|
||||||
|
Security impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
Because the consumers are stored in the database, there is the possibility
|
||||||
|
that a bad actor could add many consumers to try to fill the database disk
|
||||||
|
space. Secret Consumers should be limited to the same quota as Container
|
||||||
|
Consumers to mitigate this risk. For example:
|
||||||
|
|
||||||
|
[quota]
|
||||||
|
quota_consumers=10000
|
||||||
|
|
||||||
|
Would limit both Container Consumers and Secret Consumers to a maximum
|
||||||
|
of 10,000 consumers each for both a single Container or a single Secret.
|
||||||
|
|
||||||
|
Notifications & Audit Impact
|
||||||
|
----------------------------
|
||||||
|
|
||||||
|
The new API endpoints should be audited as usual.
|
||||||
|
|
||||||
|
Python and Command Line Client Impact
|
||||||
|
-------------------------------------
|
||||||
|
|
||||||
|
The Secret class in python-barbicanclient should be updated to add new
|
||||||
|
methods such as:
|
||||||
|
|
||||||
|
class Secret(...):
|
||||||
|
...
|
||||||
|
|
||||||
|
def add_consumer(self, service_type, resource_type, resource_id):
|
||||||
|
...
|
||||||
|
|
||||||
|
def remove_consumer(self, service_type, resource_type, resource_id):
|
||||||
|
...
|
||||||
|
|
||||||
|
Both methods should raise appropriate exceptions when the API returns an error.
|
||||||
|
Additionally, the Secret.delete() method should be updated to take a new *force*
|
||||||
|
parameter and throw an exception when delete() is called with force=False,
|
||||||
|
and the secret still has consumers:
|
||||||
|
|
||||||
|
class Secret(...):
|
||||||
|
...
|
||||||
|
|
||||||
|
def delete(self, force=False):
|
||||||
|
...
|
||||||
|
|
||||||
|
The CLI client should be changed to add new consumer options, such as:
|
||||||
|
|
||||||
|
openstack secret consumer add --service-type=image --resource-type=image \
|
||||||
|
--resource-id=XXXX-XXXX-XXXX-XXXX
|
||||||
|
|
||||||
|
openstack secret consumer remove --service-type=image --resource-type=image \
|
||||||
|
--resource-id=XXXX-XXXX-XXXX-XXXX
|
||||||
|
|
||||||
|
The secret delete command should be changed to take a *--force* parameter:
|
||||||
|
|
||||||
|
openstack secret delete --force {secret_uuid}
|
||||||
|
|
||||||
|
This command should return an error when a secret has one or more consumers
|
||||||
|
and the --force flag is not used:
|
||||||
|
|
||||||
|
openstack secret delete {secret_uuid_with_consumers}
|
||||||
|
ERROR: Secret has one or more consumers. Use --force to delete anyway.
|
||||||
|
|
||||||
|
These changes will require a new Major version for python-barbicanclient
|
||||||
|
because the default --force=False option could cause some scripts to break in
|
||||||
|
certain scenarios where secrets are currently being deleted that do have
|
||||||
|
consumers associated with them.
|
||||||
|
|
||||||
|
Other end user impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
Currently there is no other impact to the end user other than the CLI changes
|
||||||
|
listed above. In the future, when a barbican-ui for Horizon is developed,
|
||||||
|
it should use the consumers to present confirmation dialogs to the user
|
||||||
|
when deleting Secrets which have consumers.
|
||||||
|
|
||||||
|
It should be noted that Deleting Secrets in the Barbican REST API
|
||||||
|
has not changed, and a client using the API directly will be able to delete
|
||||||
|
a secret regardless of the presence of consumers.
|
||||||
|
|
||||||
|
Performance Impact
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Deleting secrets using the CLI or the Python client will be affected as we
|
||||||
|
will likely need to perform additional requests to the API to get the list of
|
||||||
|
consumers for a secret before sending a DELETE request.
|
||||||
|
|
||||||
|
Other deployer impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
When python-barbican changes are merged, some automation scripts that use
|
||||||
|
secret deletion may break if the secrets being deleted have consumers.
|
||||||
|
|
||||||
|
Any automation scripts should be updated to use the --force flag if needed.
|
||||||
|
|
||||||
|
Developer impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
Developers of other projects that want to make use of this feature will
|
||||||
|
need to use python-barbicanclient to integrate with the Key Manager service.
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
|
||||||
|
Primary assignee:
|
||||||
|
Douglas Mendizábal (Freenode: redrobot) <dmendiza@redhat.com>
|
||||||
|
|
||||||
|
Other contributors:
|
||||||
|
Moisés Guimarães (Freenode: moguimar) <moguimar@redhat.com>
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
----------
|
||||||
|
|
||||||
|
* Implement Model changes and database migration
|
||||||
|
* Implement API changes
|
||||||
|
* Implement python-barbicanclient changes (both python client and CLI)
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
Tempest test cases should be added to test adding/removing Secret Consumers
|
||||||
|
using a service-user that is not barbican.
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
All API changes should be documented in the API reference, as well as the
|
||||||
|
API Guide.
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
[1] Container Consumers API:
|
||||||
|
https://docs.openstack.org/barbican/stein/api/reference/consumers.html
|
||||||
|
|
||||||
|
Barbican Train PTG Etherpad:
|
||||||
|
https://etherpad.openstack.org/p/barbican-train-ptg
|
|
@ -1,342 +0,0 @@
|
||||||
..
|
|
||||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
|
||||||
License.
|
|
||||||
|
|
||||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
||||||
|
|
||||||
==========================================
|
|
||||||
Example Spec - The title of your blueprint
|
|
||||||
==========================================
|
|
||||||
|
|
||||||
Include the URL of your launchpad blueprint:
|
|
||||||
|
|
||||||
https://blueprints.launchpad.net/barbican/+spec/example
|
|
||||||
|
|
||||||
Include the URL of your client blueprint:
|
|
||||||
|
|
||||||
https://blueprints.launchpad.net/python-barbicanclient/example
|
|
||||||
|
|
||||||
Introduction paragraph -- why are we doing anything? A single paragraph of
|
|
||||||
prose that operators can understand.
|
|
||||||
|
|
||||||
Some notes about using this template:
|
|
||||||
|
|
||||||
* Your spec should be in ReSTructured text, like this template.
|
|
||||||
|
|
||||||
* Please wrap text at 79 columns.
|
|
||||||
|
|
||||||
* The filename in the git repository should match the launchpad URL, for
|
|
||||||
example a URL of: https://blueprints.launchpad.net/barbican/+spec/awesome-thing
|
|
||||||
should be named awesome-thing.rst
|
|
||||||
|
|
||||||
* Please do not delete any of the sections in this template. If you have
|
|
||||||
nothing to say for a whole section, just write: None
|
|
||||||
|
|
||||||
* For help with syntax, see http://sphinx-doc.org/rest.html
|
|
||||||
|
|
||||||
* To test out your formatting, build the docs using tox, or see:
|
|
||||||
http://rst.ninjs.org
|
|
||||||
|
|
||||||
* If you would like to provide a diagram with your spec, ascii diagrams are
|
|
||||||
required. http://asciiflow.com/ is a very nice tool to assist with making
|
|
||||||
ascii diagrams. The reason for this is that the tool used to review specs is
|
|
||||||
based purely on plain text. Plain text will allow review to proceed without
|
|
||||||
having to look at additional files which can not be viewed in gerrit. It
|
|
||||||
will also allow inline feedback on the diagram itself.
|
|
||||||
|
|
||||||
* If your specification proposes any changes to the Barbican REST API such
|
|
||||||
as changing parameters which can be returned or accepted, or even
|
|
||||||
the semantics of what happens when a client calls into the API, then
|
|
||||||
you should add the APIImpact flag to the commit message. Specifications with
|
|
||||||
the APIImpact flag can be found with the following query::
|
|
||||||
|
|
||||||
https://review.openstack.org/#/q/status:open+project:openstack/barbican-specs+message:apiimpact,n,z
|
|
||||||
|
|
||||||
|
|
||||||
Problem Description
|
|
||||||
===================
|
|
||||||
|
|
||||||
A detailed description of the problem:
|
|
||||||
|
|
||||||
* For a new feature this might be use cases. Ensure you are clear about the
|
|
||||||
actors in each use case: End User vs Deployer
|
|
||||||
|
|
||||||
* For a major reworking of something existing it would describe the
|
|
||||||
problems in that feature that are being addressed.
|
|
||||||
|
|
||||||
|
|
||||||
Proposed Change
|
|
||||||
===============
|
|
||||||
|
|
||||||
Here is where you cover the change you propose to make in detail. How do you
|
|
||||||
propose to solve this problem?
|
|
||||||
|
|
||||||
If this is one part of a larger effort make it clear where this piece ends. In
|
|
||||||
other words, what's the scope of this effort?
|
|
||||||
|
|
||||||
Alternatives
|
|
||||||
------------
|
|
||||||
|
|
||||||
What other ways could we do this thing? Why aren't we using those? This doesn't
|
|
||||||
have to be a full literature review, but it should demonstrate that thought has
|
|
||||||
been put into why the proposed solution is an appropriate one.
|
|
||||||
|
|
||||||
Data model impact
|
|
||||||
-----------------
|
|
||||||
|
|
||||||
Changes which require modifications to the data model often have a wider impact
|
|
||||||
on the system. The community often has strong opinions on how the data model
|
|
||||||
should be evolved, from both a functional and performance perspective. It is
|
|
||||||
therefore important to capture and gain agreement as early as possible on any
|
|
||||||
proposed changes to the data model.
|
|
||||||
|
|
||||||
Questions which need to be addressed by this section include:
|
|
||||||
|
|
||||||
* What new data objects and/or database schema changes is this going to
|
|
||||||
require?
|
|
||||||
|
|
||||||
* What database migrations will accompany this change (if any)?
|
|
||||||
|
|
||||||
* How will the initial set of new data objects be generated? For example, if you
|
|
||||||
need to take into account existing keys, or modify other existing data
|
|
||||||
describe how that will work.
|
|
||||||
|
|
||||||
REST API impact
|
|
||||||
---------------
|
|
||||||
|
|
||||||
Each API method which is either added or changed should have the following
|
|
||||||
|
|
||||||
* Specification for the method
|
|
||||||
|
|
||||||
* A description of what the method does suitable for use in
|
|
||||||
user documentation
|
|
||||||
|
|
||||||
* Method type (POST/PUT/GET/DELETE)
|
|
||||||
|
|
||||||
* Normal http response code(s)
|
|
||||||
|
|
||||||
* Expected error http response code(s)
|
|
||||||
|
|
||||||
* A description for each possible error code should be included
|
|
||||||
describing semantic errors which can cause it such as
|
|
||||||
inconsistent parameters supplied to the method, or when an
|
|
||||||
instance is not in an appropriate state for the request to
|
|
||||||
succeed. Errors caused by syntactic problems covered by the JSON
|
|
||||||
schema defintion do not need to be included.
|
|
||||||
|
|
||||||
* URL for the resource
|
|
||||||
|
|
||||||
* Parameters which can be passed via the url
|
|
||||||
|
|
||||||
* JSON schema definition for the body data if allowed
|
|
||||||
|
|
||||||
* JSON schema definition for the response data if any
|
|
||||||
|
|
||||||
* Example use case including typical API samples for both data supplied
|
|
||||||
by the caller and the response
|
|
||||||
|
|
||||||
* Discuss any policy changes, and discuss what things a deployer needs to
|
|
||||||
think about when defining their policy.
|
|
||||||
|
|
||||||
Example JSON schema definitions can be found in the Nova tree
|
|
||||||
http://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/schemas/v3
|
|
||||||
|
|
||||||
Note that the schema should be defined as restrictively as
|
|
||||||
possible. Parameters which are required should be marked as such and
|
|
||||||
only under exceptional circumstances should additional parameters
|
|
||||||
which are not defined in the schema be permitted (eg
|
|
||||||
additionaProperties should be False).
|
|
||||||
|
|
||||||
Reuse of existing predefined parameter types such as regexps for
|
|
||||||
passwords and user defined names is highly encouraged.
|
|
||||||
|
|
||||||
Security impact
|
|
||||||
---------------
|
|
||||||
|
|
||||||
Describe any potential security impact on the system. Some of the items to
|
|
||||||
consider include:
|
|
||||||
|
|
||||||
* Does this change touch sensitive data such as tokens, keys, or user data?
|
|
||||||
|
|
||||||
* Does this change alter the API in a way that may impact security, such as
|
|
||||||
a new way to access sensitive information or a new way to login?
|
|
||||||
|
|
||||||
* Does this change involve cryptography or hashing?
|
|
||||||
|
|
||||||
* Does this change require the use of sudo or any elevated privileges?
|
|
||||||
|
|
||||||
* Does this change involve using or parsing user-provided data? This could
|
|
||||||
be directly at the API level or indirectly such as changes to a cache layer.
|
|
||||||
|
|
||||||
* Can this change enable a resource exhaustion attack, such as allowing a
|
|
||||||
single API interaction to consume significant server resources? Some examples
|
|
||||||
of this include launching subprocesses for each connection, or entity
|
|
||||||
expansion attacks in XML.
|
|
||||||
|
|
||||||
* Does this change the need for auditing in any way?
|
|
||||||
|
|
||||||
For more detailed guidance, please see the OpenStack Security Guidelines as
|
|
||||||
a reference (https://wiki.openstack.org/wiki/Security/Guidelines). These
|
|
||||||
guidelines are a work in progress and are designed to help you identify
|
|
||||||
security best practices. For further information, feel free to reach out
|
|
||||||
to the OpenStack Security Group at openstack-security@lists.openstack.org.
|
|
||||||
|
|
||||||
Notifications & Audit Impact
|
|
||||||
----------------------------
|
|
||||||
|
|
||||||
Please specify any changes to notifications or auditing. Be that an extra notification,
|
|
||||||
changes to an existing notification, or removing a notification.
|
|
||||||
|
|
||||||
Python and Command Line Client Impact
|
|
||||||
-------------------------------------
|
|
||||||
|
|
||||||
Please specify any changes to the python and command line clients (CLI). Consider
|
|
||||||
the OpenStack unified clients as well as the soon to be deprecated Barbican clients.
|
|
||||||
|
|
||||||
Other end user impact
|
|
||||||
---------------------
|
|
||||||
|
|
||||||
Aside from the API, are there other ways a user will interact with this
|
|
||||||
feature?
|
|
||||||
|
|
||||||
* Does this change have an impact on python-novaclient? What does the user
|
|
||||||
interface there look like?
|
|
||||||
|
|
||||||
Performance Impact
|
|
||||||
------------------
|
|
||||||
|
|
||||||
Describe any potential performance impact on the system, for example
|
|
||||||
how often will new code be called, and is there a major change to the calling
|
|
||||||
pattern of existing code.
|
|
||||||
|
|
||||||
Examples of things to consider here include:
|
|
||||||
|
|
||||||
* A periodic task might look like a small addition but if it calls conductor or
|
|
||||||
another service the load is multiplied by the number of nodes in the system.
|
|
||||||
|
|
||||||
* Scheduler filters get called once per host for every instance being created,
|
|
||||||
so any latency they introduce is linear with the size of the system.
|
|
||||||
|
|
||||||
* A small change in a utility function or a commonly used decorator can have a
|
|
||||||
large impacts on performance.
|
|
||||||
|
|
||||||
* Calls which result in a database queries (whether direct or via conductor)
|
|
||||||
can have a profound impact on performance when called in critical sections of
|
|
||||||
the code.
|
|
||||||
|
|
||||||
* Will the change include any locking, and if so what considerations are there
|
|
||||||
on holding the lock?
|
|
||||||
|
|
||||||
Other deployer impact
|
|
||||||
---------------------
|
|
||||||
|
|
||||||
Discuss things that will affect how you deploy and configure OpenStack
|
|
||||||
that have not already been mentioned, such as:
|
|
||||||
|
|
||||||
* What config options are being added? Should they be more generic than
|
|
||||||
proposed (for example a flag that other hypervisor drivers might want to
|
|
||||||
implement as well)? Are the default values ones which will work well in
|
|
||||||
real deployments?
|
|
||||||
|
|
||||||
* Is this a change that takes immediate effect after its merged, or is it
|
|
||||||
something that has to be explicitly enabled?
|
|
||||||
|
|
||||||
* If this change is a new binary, how would it be deployed?
|
|
||||||
|
|
||||||
* Please state anything that those doing continuous deployment, or those
|
|
||||||
upgrading from the previous release, need to be aware of. Also describe
|
|
||||||
any plans to deprecate configuration values or features. For example, if we
|
|
||||||
change the directory name that instances are stored in, how do we handle
|
|
||||||
instance directories created before the change landed? Do we move them? Do
|
|
||||||
we have a special case in the code? Do we assume that the operator will
|
|
||||||
recreate all the instances in their cloud?
|
|
||||||
|
|
||||||
Developer impact
|
|
||||||
----------------
|
|
||||||
|
|
||||||
Discuss things that will affect other developers working on OpenStack,
|
|
||||||
such as:
|
|
||||||
|
|
||||||
* If the blueprint proposes a change to the driver API, discussion of how
|
|
||||||
other hypervisors would implement the feature is required.
|
|
||||||
|
|
||||||
|
|
||||||
Implementation
|
|
||||||
==============
|
|
||||||
|
|
||||||
Assignee(s)
|
|
||||||
-----------
|
|
||||||
|
|
||||||
Who is leading the writing of the code? Or is this a blueprint where you're
|
|
||||||
throwing it out there to see who picks it up?
|
|
||||||
|
|
||||||
If more than one person is working on the implementation, please designate the
|
|
||||||
primary author and contact.
|
|
||||||
|
|
||||||
Primary assignee:
|
|
||||||
<launchpad-id or None>
|
|
||||||
|
|
||||||
Other contributors:
|
|
||||||
<launchpad-id or None>
|
|
||||||
|
|
||||||
Work Items
|
|
||||||
----------
|
|
||||||
|
|
||||||
Work items or tasks -- break the feature up into the things that need to be
|
|
||||||
done to implement it. Those parts might end up being done by different people,
|
|
||||||
but we're mostly trying to understand the timeline for implementation.
|
|
||||||
|
|
||||||
|
|
||||||
Dependencies
|
|
||||||
============
|
|
||||||
|
|
||||||
* Include specific references to specs and/or blueprints in nova, or in other
|
|
||||||
projects, that this one either depends on or is related to.
|
|
||||||
|
|
||||||
* If this requires functionality of another project that is not currently used
|
|
||||||
by Nova (such as the glance v2 API when we previously only required v1),
|
|
||||||
document that fact.
|
|
||||||
|
|
||||||
* Does this feature require any new library dependencies or code otherwise not
|
|
||||||
included in OpenStack? Or does it depend on a specific version of library?
|
|
||||||
|
|
||||||
|
|
||||||
Testing
|
|
||||||
=======
|
|
||||||
|
|
||||||
Please discuss how the change will be tested. We especially want to know what
|
|
||||||
tempest tests will be added. It is assumed that unit test coverage will be
|
|
||||||
added so that doesn't need to be mentioned explicitly, but discussion of why
|
|
||||||
you think unit tests are sufficient and we don't need to add more tempest
|
|
||||||
tests would need to be included.
|
|
||||||
|
|
||||||
Is this untestable in gate given current limitations (specific hardware /
|
|
||||||
software configurations available)? If so, are there mitigation plans (3rd
|
|
||||||
party testing, gate enhancements, etc).
|
|
||||||
|
|
||||||
|
|
||||||
Documentation Impact
|
|
||||||
====================
|
|
||||||
|
|
||||||
What is the impact on the docs team of this change? Some changes might require
|
|
||||||
donating resources to the docs team to have the documentation updated. Don't
|
|
||||||
repeat details discussed above, but please reference them here.
|
|
||||||
|
|
||||||
|
|
||||||
References
|
|
||||||
==========
|
|
||||||
|
|
||||||
Please add any useful references here. You are not required to have any
|
|
||||||
reference. Moreover, this specification should still make sense when your
|
|
||||||
references are unavailable. Examples of what you could include are:
|
|
||||||
|
|
||||||
* Links to mailing list or IRC discussions
|
|
||||||
|
|
||||||
* Links to notes from a summit session
|
|
||||||
|
|
||||||
* Links to relevant research, if appropriate
|
|
||||||
|
|
||||||
* Related specifications as appropriate (e.g. if it's an EC2 thing, link the
|
|
||||||
EC2 docs)
|
|
||||||
|
|
||||||
* Anything else you feel it is worthwhile to refer to
|
|
Loading…
Reference in New Issue