It should be possible to run the Fuel master node and the slave nodes as a non-superuser (non-root). Currently, users are required to log into the master node using the root account by default. This could represent an enterprise security policy violation for many companies.
This specification addresses usage of the root accounts on slave nodes for user access.
Currently, Fuel node uses root account for all operations, including:
Many corporate users of Fuel would be required to meet security compliance standards in their infrastructure including Fuel. Many of such policies restrict access to non-root accounts. Consequently, Fuel should operate using non-privileged accounts where it is possible to do so.
Disabling remote root SSH access to slave nodes
- Console root access will still be allowed.
- There are going to be 2 UNIX user accounts on provisioned nodes to log in as:
- User-defined account. This account will be used by operator to log into provisioned/deployed OpenStack nodes and will be fully configurable by user via UI (name, password, home directory, sudo settings, SSH keys); it’s defaults will be:
- Name: fueladmin
- Password: fueladmin
- Home directory: /home/fueladmin
- Sudo: ALL=(ALL) ALL (to allow sudo w/ password)
- SSH keys: None
- Service account. This account is going to be used by Fuel to log into provisioned/deployed nodes via SSH. It’s going to use key-based SSH authentication and is going to use the same public key, root is using now. It’s settings will be hidden from UI and will default to:
- Name: fuel
- Password: random, generated by Nailgun
- Home directory: /var/lib/fuel
- Sudo: ALL=(ALL) NOPASSWD: ALL (at this point, service user will have passwordless sudo; sudo configuration will be made more restrictive in a separate blueprint in the future)
- The accounts will be created at the image building stage (in cloud-config templates), as well as all the required configuration (sshd, sudoers)
- SSH keys will be injected into target images during image build process by fuel-agent
- Every service that uses SSH to access slave nodes will be modified to use the service account passed by Nailgun for remote login.
- Certain OSTF tests will be modified, since these tests access slaves via SSH and non-root account might not have required privileges to perform required commands (e.g. read /etc/nova/nova.conf)
- CI infrastructure (fuel-qa/fuel-devops) will be updated to use a non-root account for SSH access to slaves. All the commands that are executed on slaves and do require elevated privileges will be wrapped into sudo.
Cluster attributes will be extended with following items:
editable: ... operator_user: name: type: 'text' value: 'fueladmin' password: type: 'password' value: 'fueladmin' homedir: description: "" type: 'text' value: '/home/fueladmin' authkeys: description: "" type: 'textarea' value: '' sudo: description: "" type: 'textarea' value: 'ALL=(ALL) ALL' service_user: name: type: 'hidden' value: 'fuel' homedir: type: 'hidden' value: '/var/lib/fuel' authkeys: type: 'hidden' value: '' sudo: type: 'hidden' value: 'ALL=(ALL) NOPASSWD : ALL' ... generated: service_user: password: generator: "password" root_password: generator: "password"
When upgrading to the release, containing this feature, user accounts on slave nodes will have to be taken care of. This can easily be automated.
This change will improve security:
Users will have to log into slave nodes with accounts, which have been specified during deployment stage.
New features will need to be designed with consideration that root SSH access to slave nodes will be disabled.
Documentation will have to be updated to reflect changes (using non-root accounts for access etc)