Problem statement
Currently creating a Foreman Proxy requires OAuth credentials. This is the only usage of OAuth within Foreman and doesn’t provide a nice experience for users. It may also be a security concern because the credentials provide admin privileges.
Current implementation
When the user wants to install a new Foreman Proxy, the common workflow is to run foreman-installer --no-enable-foreman --no-enable-foreman-cli --foreman-proxy-foreman-base-url https://foreman.example.com --foreman-proxy-oauth-consumer-key $KEY --foreman-proxy-oauth-consumer-secret $SECRET
.
The OAuth credentials are used to authenticate to the Foreman API to create a smart_proxy entry. It’s also used to verify the features Foreman has recognized. Outside of that, it’s not used.
On a technical level it uses the Puppet foreman_smartproxy
type / provider. This calls the REST API with the OAuth credentials. First of all, it calls GET api/v2/smart_proxies
with name=#{name}
as search. If this exists, it calls PUT api/v2/smart_proxies/#{id}/refresh
(and PUT api/v2/smart_proxies/#{id}
to update the URL if needed). When it doesn’t, POST api/v2/smart_proxies
is called.
The feature verification works by taking the features Foreman reports in the smart_proxy API. The installer knows what features to expect. If there’s a mismatch, the installer will fail. This can happen when a feature on Foreman Proxy failed to initialize or when Foreman lacks a plugin that Foreman Proxy has. For example, when Foreman Proxy installs REX but Foreman doesn’t have REX installed.
When a smart_proxy entry is created in Foreman (both UI and API), it always refreshes the features. This means the Foreman Proxy must be online and functioning.
OAuth is used because an API request to create a Smart Proxy needs to be authenticated. Just trusting the SSL certificate is insufficient because a CA may be used for more than just the Foreman infrastructure. Not every host should be a Smart Proxy.
Implementation
Rather than creating the smart_proxy entry via the API, it should be possible to precreate the entry but not refresh its features. To achieve this, the form and API in Foreman should gain a field to not refresh the features as part of the save.
The API should also be modified to allow a Smart Proxy to get its own data and refresh its features. The authentication can happen via the SSL certificates already in place (used to authenticate when creating a config_report among others).
Then the foreman_proxy
provider should be modified to use SSL certificates to authenticate.
Considerations
This covers the manual way, but still requires OAuth for a fully automatic deployment where a host is provisioned and a new Foreman Proxy is created automatically. Either by using Puppet (outside of the installer) or calling the installer with hardcoded credentials or yet another way.
Instead of OAuth, the authentication can also be changed to use personal access tokens. The downside of that is that OAuth it “just works” with Puppet when using a Puppetmaster because you can provision Foreman with a key/secret, cache those values and reuse them. That now happens and means adding a Foreman Proxy is trivial.