Remove the ADMIN_TOKEN means of initializing a cluster with a CLI that has to be executed on the same machine as the Keystone installation.
ADMIN_TOKEN is a poor approach for initialzing a deployment. It provides a huge security risk for any site that fails to disable it after initial deployment. Since it is removed after the site is live, there is no means to reenable it without A) restarting the service and B) providing a huge surface for attack. However, for a broken system, sometimes it is the only tool that can effective fix things.
ADMIN_TOKEN is specified in the config file, which means that anyone one with read access to the file has unlimited ability to affect change in a keystone system. This is one of the values that forces the config file to be reable only by root and the keystone service. This limits non-root users ability to read the config to determine the state of the system and help troubleshoot.
Replace ADMIN_TOKEN with a set of CLI operations that affect the necessarchanges to initialize a keystone server:
|bootstrap-password||None||The bootstrap user password|
|bootstrap-generate-password||None||If set, will generate password automatically and return it in the output|
|bootstrap-project-name||admin||The initial project created during the keystone bootstrap process.|
|bootstrap-role-name||admin||The initial role-name created during the keystone bootstrap process.|
Direct database access, which would bypass all of the logic in the system.
Precanned Database scripts, which would always put the system into a known state; high risk of error and duplication, no way to fix a wedged system.
Should reduce the attack surface of the Keystone server. Anyone that can read the config file can adffect these changes now. With this change, the user access would be limited to the same Unix users that run the Keystone process, and would be managed via sudo.
THe same notifications generated when these changes are made via the API will be generated via this API.
This will change how CMSs interact with Keystone. The ADMIN_TOKEN approach will be deprecated.
This will remove the ability to use ADMIN_TOKEN to troubleshoot, and replace it with a more controlled approach.
Many releases later * remove support for ADMIN_TOKEN
Will change how all downstream project initialize Keystone.