[Maas-devel] State of RPC registration and security #2

Andres Rodriguez andres.rodriguez at canonical.com
Thu Oct 9 23:18:12 UTC 2014 

Hi Gavin,


On Fri, Oct 10, 2014 at 1:13 AM, Gavin Panella <gavin.panella at canonical.com>
wrote:

> I think it's working. Doing some brief QA with:
>
>   lp:~allenap/maas/remove-cluster-register-op
>   lp:~allenap/maas/remove-cluster-startup-helper (packaging)
>
> (Don't pay much attention to the names; they're both the end of
> pipelines.)
>
> seems to work. The cluster comes up and registers with the region okay.
>
> There are some rough edges:
>
> - When deleting a cluster, it is not disconnected from the region. This
>   is not a new bug, and it's not critical.
>

We need to fix this.

>
> - Using `sudo maas-provision install-shared-secret` writes the file
>   root:root, 0640. We need it to be readable by MAAS, i.e. the "maas"
>   user. I'm reluctant to put that kind of behaviour into upstream
>   maas-provision because the user MAAS runs as is a system policy
>   decision. Perhaps we could flip the setgid bit on /var/lib/maas to
>   ensure that files therein are always in the maas group.
>

I have an idea to manage this from the packaging, so we request the shared
secret when we are reconfiguring the clsuter to point it to the Region
Controller.

>
> - There's still no nice way to obtain the secret from the region so that
>   you can install it on the clusters:
>

I'm comfortable that every time we tell the clsuter to register to the
region, we also input the shared secret. Does this make sense? (So when we
are registering a cluster with the Region, we will tell where the Region is
and what the shared secret is so it can authenticate).

>
>   `maas-provision install-shared-secret` expects the secret hex-encoded.
>   It's stored unencoded on the filesystem. Copy-n-paste from the secret
>   file on the region to the prompt shown by `maas-provision ...` will
>   not work.


> - /etc/init/maas-cluster-register.conf is not removed when installing
>   packages built from my branches. I have removed references to it in
>   the packaging, so I don't know what I've missed.
>

Awesome! Thanks. I'll take the review action on that one.


>
> - Probably lots of other things.
>
> Please review my branches, land them, try them out, reply to this email,
> file bugs. I will work on any issues in the morning.
>
> Gavin.
>
> --
> Mailing list: https://launchpad.net/~maas-devel
> Post to     : maas-devel at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~maas-devel
> More help   : https://help.launchpad.net/ListHelp
>



-- 
Andres Rodriguez
Engineering Manager, HWE Team
Canonical USA, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20141010/1746eb59/attachment.html>

More information about the Maas-devel mailing list