Running Fuel as non-superuser

https://blueprints.launchpad.net/fuel/+spec/fuel-nonsuperuser

It should be possible to run the Fuel master node and the slave nodes as a non-superuser (non-root). Currently, users are required to log into the master node using the root account by default. This could represent an enterprise security policy violation for many companies.

This specification addresses usage of the root accounts on slave nodes for user access.

Problem description

Currently, Fuel node uses root account for all operations, including:

  • deployment and configuration
  • running services (Astute, Nailgun etc)
  • user operations (CLI, upgrades etc)
  • accessing slave nodes (addressed in this specification)

Many corporate users of Fuel would be required to meet security compliance standards in their infrastructure including Fuel. Many of such policies restrict access to non-root accounts. Consequently, Fuel should operate using non-privileged accounts where it is possible to do so.

Proposed changes

Disabling remote root SSH access to slave nodes

  • Console root access will still be allowed.
  • There are going to be 2 UNIX user accounts on provisioned nodes to log in as:
    • User-defined account. This account will be used by operator to log into provisioned/deployed OpenStack nodes and will be fully configurable by user via UI (name, password, home directory, sudo settings, SSH keys); it’s defaults will be:
      • Name: fueladmin
      • Password: fueladmin
      • Home directory: /home/fueladmin
      • Sudo: ALL=(ALL) ALL (to allow sudo w/ password)
      • SSH keys: None
    • Service account. This account is going to be used by Fuel to log into provisioned/deployed nodes via SSH. It’s going to use key-based SSH authentication and is going to use the same public key, root is using now. It’s settings will be hidden from UI and will default to:
      • Name: fuel
      • Password: random, generated by Nailgun
      • Home directory: /var/lib/fuel
      • Sudo: ALL=(ALL) NOPASSWD: ALL (at this point, service user will have passwordless sudo; sudo configuration will be made more restrictive in a separate blueprint in the future)
  • The accounts will be created at the image building stage (in cloud-config templates), as well as all the required configuration (sshd, sudoers)
  • SSH keys will be injected into target images during image build process by fuel-agent
  • Every service that uses SSH to access slave nodes will be modified to use the service account passed by Nailgun for remote login.
  • Certain OSTF tests will be modified, since these tests access slaves via SSH and non-root account might not have required privileges to perform required commands (e.g. read /etc/nova/nova.conf)
  • CI infrastructure (fuel-qa/fuel-devops) will be updated to use a non-root account for SSH access to slaves. All the commands that are executed on slaves and do require elevated privileges will be wrapped into sudo.

Web UI

  • Add following items to settings tab:
    • User account name (defaults to fueladmin)
    • User account password (defaults to fueladmin)
    • User account home directory (defaults to /home/fueladmin)
    • User-supplied public SSH keys (empty by default)
    • Sudo configuration for this user (default is requiring password)

Nailgun

  • Fuel-agent’s cloud-init templates will be extended to:
    • Create user accounts
    • Populate sudoers.d
    • Configure sshd_config to set “PermitRootLogin no” (boothook)
    • Inject public SSH keys
  • openstack.yaml fixture will be changed to include slave node user accounts configuration
  • Extend provisioning serializer to pass OS user account settings to Astute/Fuel agent
  • Nailgun will pass to Shotgun ssh-user parameter along with ssh-key for remote SSH access. This username will be taken from the DB.
  • Shotgun will be extended to accept ssh-user parameter and use sudo, if needed.

Data model

Cluster attributes will be extended with following items:

editable:
...
  operator_user:
    name:
      type: 'text'
      value: 'fueladmin'
    password:
      type: 'password'
      value: 'fueladmin'
    homedir:
      description: ""
      type: 'text'
      value: '/home/fueladmin'
    authkeys:
      description: ""
      type: 'textarea'
      value: ''
    sudo:
      description: ""
      type: 'textarea'
      value: 'ALL=(ALL) ALL'
  service_user:
    name:
      type: 'hidden'
      value: 'fuel'
    homedir:
      type: 'hidden'
      value: '/var/lib/fuel'
    authkeys:
      type: 'hidden'
      value: ''
    sudo:
      type: 'hidden'
      value: 'ALL=(ALL) NOPASSWD : ALL'
...
generated:
  service_user:
    password:
      generator: "password"
    root_password:
      generator: "password"

REST API

None

Orchestration

None

RPC Protocol

None

Fuel Client

None

Plugins

None

Fuel Library

  • refactor openstack::auth_file into a defined resource so that multiple openrc files can be created for different users
  • modify Keystone task/manifest to create openrc files for following users:
    • root (for compatibility)
    • service user
    • user-defined accound
  • add PermitRootLogin to osnailyfacter::ssh with default being “yes”;
    • for Fuel node, root login will be permitted (will be taken care of by a separate blueprint)
    • for OpenStack nodes, root login will be disabled
  • modify Ceph module to use service user account to execute ceph-deploy

Alternatives

None

Upgrade impact

When upgrading to the release, containing this feature, user accounts on slave nodes will have to be taken care of. This can easily be automated.

Security impact

This change will improve security:

  • root login over SSH will be disabled for OpenStack cluster nodes.
  • users will have to login with non-root account to OpenStack nodes.

Notifications impact

None

End user impact

Users will have to log into slave nodes with accounts, which have been specified during deployment stage.

Performance impact

None

Deployment impact

None

Developer impact

New features will need to be designed with consideration that root SSH access to slave nodes will be disabled.

Infrastructure impact

  • fuel-qa and fuel-devops
    • fuel-devops node description in templates will be extended with SSH user/password settings
    • User for SSH login will be taken from the node description instead of environment variables

Documentation impact

Documentation will have to be updated to reflect changes (using non-root accounts for access etc)

Implementation

Assignee(s)

Primary assignee:
Dmitry Nikishov <nikishov-da>
QA Assignee:
Andrey Sledzinskiy <asledzinskiy>
Other contributors:
Omar Rivera <gomarivera>
Mandatory design review:
Omar Rivera <gomarivera> Dmitry Borodaenko <dborodaenko> Sergii Golovatiuk <sgolovatiuk> Igor Kalnitsky <ikalnitsky>

Work Items

  • Introduce non-root account configuration for slave nodes in UI (fuel-web).
  • Move openrc file to a new location on slave nodes (fuel-library)
  • Pass non-root account to fuel-agent to configure target OS images (fuel-web, fuel-agent).
  • Change Astute to use credentials passed by Nailgun for SSH access (fuel-astute)
  • Fix/change OSTF that rely on SSH user having root-level privileges (fuel-ostf).
  • Fix CI jobs to use non-root account for slave nodes SSH access (fuel-qa, fuel-devops).

Testing, QA

  • Nailgun’s unit and integration tests will be extended to test new features.
  • Astute’s unit and integration tests will be extended to test new features.
  • Fuel-agent’s unit and integration tests will be extended to test new features.
  • Fuel-library unit tests will be extended to test new features.
  • Fuel-qa will be extended to try and login to the slave node with default root credentials (root/r00tme)

Acceptance criteria

  • Remote SSH root login is disabled for slave nodes.
  • User can specify settings for the account that should be created during initial deployment.

References

None