[Maas-devel] State of RPC registration and security #2

Fri Oct 10 00:13:03 UTC 2014

On Fri, Oct 10, 2014 at 1:31 AM, Gavin Panella <gavin.panella at canonical.com>
wrote:

> On 10 October 2014 00:18, Andres Rodriguez <...> wrote:
> ...
> > On Fri, Oct 10, 2014 at 1:13 AM, Gavin Panella <...> wrote:
> ...
> >> There are some rough edges:
> >>
> >> - When deleting a cluster, it is not disconnected from the region.
> >>   This is not a new bug, and it's not critical.
> >
> >
> > We need to fix this.
>
> If you remove the secret on the cluster's machine, restart maas-cluster,
> then delete the cluster in the UI, it'll stay gone. Can we live with
> that for 1.7? Fixing it is a little tricky.
>

if we remove the secret and restart maas-cluster, the connection between
cluster / region should fail. If we remove the cluster from the WebUI, it
is gone for sure. In order for us to re-add this cluster we need to
reconfigure the shared secret, and will be added as a new cluster in the
sense that it will need to re-download images and so on.

> >>
> >>
> >> - Using `sudo maas-provision install-shared-secret` writes the file
> >>   root:root, 0640. We need it to be readable by MAAS, i.e. the "maas"
> >>   user. I'm reluctant to put that kind of behaviour into upstream
> >>   maas-provision because the user MAAS runs as is a system policy
> >>   decision. Perhaps we could flip the setgid bit on /var/lib/maas to
> >>   ensure that files therein are always in the maas group.
> >
> >
> > I have an idea to manage this from the packaging, so we request the
> > shared secret when we are reconfiguring the clsuter to point it to the
> > Region Controller.
>
> That sounds good. If you obtain it as a hex-encoded string you can feed
> it to maas-provision:
>
>     maas-provision install-shared-secret <<<${secret_as_hex}
>
> and it'll do the right thing, though beware of user/group.
>

Where does the user know what the shared secret is? Is the Cluster page on
the WebUI showing the shared secret? I think an admin should be able to
login to the Cluster Page and look at the shared secret.

When registering the Cluster, it should simply tell the Cluster what the
shared secret is.

>
> >>
> >>
> >> - There's still no nice way to obtain the secret from the region so
> >>   that you can install it on the clusters:
> >
> >
> > I'm comfortable that every time we tell the clsuter to register to the
> > region, we also input the shared secret. Does this make sense? (So
> > when we are registering a cluster with the Region, we will tell where
> > the Region is and what the shared secret is so it can authenticate).
>
> We do still need to capture that information, so it sounds fine. Right
> now the cluster won't start unless there's a secret installed (that's
> done in the Upstart script).
>
> >>
> >>
> >>   `maas-provision install-shared-secret` expects the secret
> >>   hex-encoded. It's stored unencoded on the filesystem. Copy-n-paste
> >>   from the secret file on the region to the prompt shown by
> >>   `maas-provision ...` will not work.
> >>
> >>
> >> - /etc/init/maas-cluster-register.conf is not removed when installing
> >>   packages built from my branches. I have removed references to it in
> >>   the packaging, so I don't know what I've missed.
> >
> >
> > Awesome! Thanks. I'll take the review action on that one.
>
> Thank you!
>

-- 
Andres Rodriguez
Engineering Manager, HWE Team
Canonical USA, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20141010/ecf39256/attachment.html>