RFC: remove support for deployments without authentication?
4 views
Skip to first unread message
Dmitry Tantsur
Jan 27, 2022, 11:38:09 AM1/27/22
to Metal3 Development List
Hi folks,
Does anyone have a use case for deploying Ironic without authentication? I'm struggling to come up with one. Removing no-auth mode will somewhat simplify the deployment files.
Dmitry
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
Julia Kreger
Jan 27, 2022, 2:56:43 PM1/27/22
to Dmitry Tantsur, Metal3 Development List
I'm in support of removing support for it from Metal3.
When we first went to leverage the no-auth concept in Ironic, it was
to fire ironic up, use it as a tool to provision a few machines, and
then shut down the machine using the tool. Obviously, we were
horrified when people expressed they wanted to do this in long-lived
cases.
That support for no-auth in any useful sense continues to be a legacy
which should likely just be moved past.
Just my $0.02,
-Julia
> --
> You received this message because you are subscribed to the Google Groups "Metal3 Development List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to metal3-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/metal3-dev/CACNgkFzdaSR98Njvca9C1gr9wwM5AsE%2BT8h_YpmAsLkBPRRKBA%40mail.gmail.com.
When we first went to leverage the no-auth concept in Ironic, it was
to fire ironic up, use it as a tool to provision a few machines, and
then shut down the machine using the tool. Obviously, we were
horrified when people expressed they wanted to do this in long-lived
cases.
That support for no-auth in any useful sense continues to be a legacy
which should likely just be moved past.
Just my $0.02,
-Julia
> You received this message because you are subscribed to the Google Groups "Metal3 Development List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to metal3-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/metal3-dev/CACNgkFzdaSR98Njvca9C1gr9wwM5AsE%2BT8h_YpmAsLkBPRRKBA%40mail.gmail.com.
Lennart Jern
Jan 28, 2022, 1:37:50 AM1/28/22
to Julia Kreger, Dmitry Tantsur, Metal3 Development List
I have been thinking the same thing and would also like to simplify this.
As someone quite new to the project, I would like to know if there is a point in reopening the discussion about decoupling BMO and Ironic? My understanding is that the need for authentication came when BMO was bundled with CAPM3 and separated from Ironic. Now
that BMO is again separate from CAPM3, would it make sense to "merge" the BMO and Ironic pods?
The
design doc mentions loopback interface (same pod) as an alternative to authentication but didn't make sense at the time, I guess. Would it make sense now or is it better to keep them separated and drop the no-auth option?
Lennart
From: metal...@googlegroups.com <metal...@googlegroups.com> on behalf of Julia Kreger <juliaash...@gmail.com>
Sent: Thursday, January 27, 2022 21:56
To: Dmitry Tantsur <dtan...@redhat.com>
Cc: Metal3 Development List <metal...@googlegroups.com>
Subject: Re: [metal3-dev] RFC: remove support for deployments without authentication?
Sent: Thursday, January 27, 2022 21:56
To: Dmitry Tantsur <dtan...@redhat.com>
Cc: Metal3 Development List <metal...@googlegroups.com>
Subject: Re: [metal3-dev] RFC: remove support for deployments without authentication?
To view this discussion on the web visit
https://groups.google.com/d/msgid/metal3-dev/CAF7gwdjjBtCZSqC%2BOXBCw4kd%3Dqg-KL8Lw6SxpVOG1_J_imYMUQ%40mail.gmail.com.
Kashif Khan
Jan 28, 2022, 2:23:13 AM1/28/22
to Dmitry Tantsur, Metal3 Development List
Hi Dmitry,
I think its good to remove it from our side. One thing to clarify for better understanding is that when you say remove no-auth, you mean removing it from ironic deployment files in BMO repo, right ?
I think its good to remove it from our side. One thing to clarify for better understanding is that when you say remove no-auth, you mean removing it from ironic deployment files in BMO repo, right ?
BR
Kashif
From: metal...@googlegroups.com <metal...@googlegroups.com> on behalf of Dmitry Tantsur <dtan...@redhat.com>
Sent: Thursday, January 27, 2022 6:37 PM
To: Metal3 Development List <metal...@googlegroups.com>
Subject: [metal3-dev] RFC: remove support for deployments without authentication?
Sent: Thursday, January 27, 2022 6:37 PM
To: Metal3 Development List <metal...@googlegroups.com>
Subject: [metal3-dev] RFC: remove support for deployments without authentication?
Dmitry Tantsur
Jan 28, 2022, 3:45:45 AM1/28/22
to Kashif Khan, Metal3 Development List
On Fri, Jan 28, 2022 at 8:23 AM Kashif Khan <kashi...@est.tech> wrote:
Hi Dmitry,
I think its good to remove it from our side. One thing to clarify for better understanding is that when you say remove no-auth, you mean removing it from ironic deployment files in BMO repo, right ?
And from ironic-image and metal3-dev-env.
BRKashif
From: metal...@googlegroups.com <metal...@googlegroups.com> on behalf of Dmitry Tantsur <dtan...@redhat.com>
Sent: Thursday, January 27, 2022 6:37 PM
To: Metal3 Development List <metal...@googlegroups.com>
Subject: [metal3-dev] RFC: remove support for deployments without authentication?--Hi folks,
Does anyone have a use case for deploying Ironic without authentication? I'm struggling to come up with one. Removing no-auth mode will somewhat simplify the deployment files.
Dmitry
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
You received this message because you are subscribed to the Google Groups "Metal3 Development List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to metal3-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/metal3-dev/CACNgkFzdaSR98Njvca9C1gr9wwM5AsE%2BT8h_YpmAsLkBPRRKBA%40mail.gmail.com.
Dmitry Tantsur
Jan 28, 2022, 3:47:58 AM1/28/22
to Lennart Jern, Metal3 Development List
On Fri, Jan 28, 2022 at 7:37 AM Lennart Jern <lennar...@est.tech> wrote:
I have been thinking the same thing and would also like to simplify this.
As someone quite new to the project, I would like to know if there is a point in reopening the discussion about decoupling BMO and Ironic? My understanding is that the need for authentication came when BMO was bundled with CAPM3 and separated from Ironic. Now that BMO is again separate from CAPM3, would it make sense to "merge" the BMO and Ironic pods?
I think BMO and Ironic are normally deployed in the same pod, but it doesn't automatically preclude authentication.
The design doc mentions loopback interface (same pod) as an alternative to authentication but didn't make sense at the time, I guess. Would it make sense now or is it better to keep them separated and drop the no-auth option?
Ironic cannot simply listen on loopback, it needs a way for the ramdisk to call back home. We could probably use some sophisticated iptables rules or .htaccess to ban all endpoints other than the ramdisk ones, but it won't be a great simplification. It would also complicate debugging: right now people commonly access Ironic for that.
Dmitry
Reply all
Reply to author
Forward
0 new messages