[Maas-devel] State of RPC registration and security #2
Gavin Panella
gavin.panella at canonical.com
Thu Oct 9 23:31:53 UTC 2014
On 10 October 2014 00:18, Andres Rodriguez <...> wrote:
...
> On Fri, Oct 10, 2014 at 1:13 AM, Gavin Panella <...> wrote:
...
>> There are some rough edges:
>>
>> - When deleting a cluster, it is not disconnected from the region.
>> This is not a new bug, and it's not critical.
>
>
> We need to fix this.
If you remove the secret on the cluster's machine, restart maas-cluster,
then delete the cluster in the UI, it'll stay gone. Can we live with
that for 1.7? Fixing it is a little tricky.
>>
>>
>> - Using `sudo maas-provision install-shared-secret` writes the file
>> root:root, 0640. We need it to be readable by MAAS, i.e. the "maas"
>> user. I'm reluctant to put that kind of behaviour into upstream
>> maas-provision because the user MAAS runs as is a system policy
>> decision. Perhaps we could flip the setgid bit on /var/lib/maas to
>> ensure that files therein are always in the maas group.
>
>
> I have an idea to manage this from the packaging, so we request the
> shared secret when we are reconfiguring the clsuter to point it to the
> Region Controller.
That sounds good. If you obtain it as a hex-encoded string you can feed
it to maas-provision:
maas-provision install-shared-secret <<<${secret_as_hex}
and it'll do the right thing, though beware of user/group.
>>
>>
>> - There's still no nice way to obtain the secret from the region so
>> that you can install it on the clusters:
>
>
> I'm comfortable that every time we tell the clsuter to register to the
> region, we also input the shared secret. Does this make sense? (So
> when we are registering a cluster with the Region, we will tell where
> the Region is and what the shared secret is so it can authenticate).
We do still need to capture that information, so it sounds fine. Right
now the cluster won't start unless there's a secret installed (that's
done in the Upstart script).
>>
>>
>> `maas-provision install-shared-secret` expects the secret
>> hex-encoded. It's stored unencoded on the filesystem. Copy-n-paste
>> from the secret file on the region to the prompt shown by
>> `maas-provision ...` will not work.
>>
>>
>> - /etc/init/maas-cluster-register.conf is not removed when installing
>> packages built from my branches. I have removed references to it in
>> the packaging, so I don't know what I've missed.
>
>
> Awesome! Thanks. I'll take the review action on that one.
Thank you!
More information about the Maas-devel
mailing list