Help with API - Store Undercloud Username/Password

Jason_Rist1 · July 21, 2015, 4:17am

Whilst writing an app that launches Undercloud install and then
subsequently installs an Overcloud (tripleO) on OpenStack, I ran into
the issue of having to store the credentials that return from the
Undercloud install.

What might be the best way? I guess ideally the credentials would be
stored securely, but at this point I'm curious what the best route for
this within Foreman would be regardless.

Does someone have any experience with this?

Thanks
Jason

Jason E. Rist
Senior Software Engineer
OpenStack Infrastructure Integration
Red Hat, Inc.
openuc: +1.972.707.6408
mobile: +1.720.256.3933
Freenode: jrist
github/identi.ca: knowncitizen

ohadlevy · July 21, 2015, 7:24am

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Whilst writing an app that launches Undercloud install and then
> subsequently installs an Overcloud (tripleO) on OpenStack, I ran into
> the issue of having to store the credentials that return from the
> Undercloud install.
>
> What might be the best way? I guess ideally the credentials would be
> stored securely, but at this point I'm curious what the best route for
> this within Foreman would be regardless.
>
> Does someone have any experience with this?
>

if its considered a compute resource in foreman, then it we store it in the
db encrypted. note - most people in here do not understand what you mean by
over/under cloud etc.

Ohad

···

On Tue, Jul 21, 2015 at 7:17 AM, Jason Rist wrote:

Thanks
Jason

Jason E. Rist
Senior Software Engineer
OpenStack Infrastructure Integration
Red Hat, Inc.
openuc: +1.972.707.6408
mobile: +1.720.256.3933
Freenode: jrist
github/identi.ca: knowncitizen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVrcfmAAoJEMqxYTi6t2f4qfgH+waw4wwoXrPuLkYAwIAeTl6J
0QADam6ZAwEcGiN5BEHm5JzCgmSAe540K0DZB+SN0FVJneoLWSLfMLsJ2DEy9AXx
4QqWRopqeVQ6OzzpYVTcdZJgiLvcwWTjMKSg673T2F09CO8E6OGVToSEPFJkSnKw
th2gXywrI7+Ty/I2l/RxXiKUVxqBB2PPv40K1KmULtiQntBvJlNeTJNbsOnB5Gij
Nodh470O2C83ow14ObQRy9HkIdnp7hvPcOLrfu8pcYUpFpG+YsuWXwf9PKJEsCcu
scmMW92WQDAVAGtfFz0qLPtoZqIPHotCMqTM5pk12zuTfqdORiLeBDsfWWkl/dI=
=gd7p
-----END PGP SIGNATURE-----

–
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jason_Rist1 · July 21, 2015, 2:41pm

>
>
>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Whilst writing an app that launches Undercloud install and then
>> subsequently installs an Overcloud (tripleO) on OpenStack, I ran into
>> the issue of having to store the credentials that return from the
>> Undercloud install.
>>
>> What might be the best way? I guess ideally the credentials would be
>> stored securely, but at this point I'm curious what the best route for
>> this within Foreman would be regardless.
>>
>> Does someone have any experience with this?
>>
>
> if its considered a compute resource in foreman, then it we store it in
> the db encrypted. note - most people in here do not understand what you
> mean by over/under cloud etc.
>

So it'd be which API call? There are a half dozen ways of using attributes
for compute resources?

···

On Tuesday, July 21, 2015 at 1:24:18 AM UTC-6, ohadlevy wrote: > On Tue, Jul 21, 2015 at 7:17 AM, Jason Rist > wrote:

Ohad

Thanks
Jason

dLobatog · July 21, 2015, 1:08pm

>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Whilst writing an app that launches Undercloud install and then
> > subsequently installs an Overcloud (tripleO) on OpenStack, I ran into
> > the issue of having to store the credentials that return from the
> > Undercloud install.
> >
> > What might be the best way? I guess ideally the credentials would be
> > stored securely, but at this point I'm curious what the best route for
> > this within Foreman would be regardless.
> >
> > Does someone have any experience with this?
> >
>
> if its considered a compute resource in foreman, then it we store it in the
> db encrypted. note - most people in here do not understand what you mean by
> over/under cloud etc.

Another concern worth mentioning, your credentials are stored encrypted,
BUT other Foreman administrators (people with access to the actual
Foreman host) could easily decrypt them. So it's better to have a shared
admin account.

···

On 07/21, Ohad Levy wrote: > On Tue, Jul 21, 2015 at 7:17 AM, Jason Rist wrote:

Ohad

Thanks
Jason

Jason E. Rist
Senior Software Engineer
OpenStack Infrastructure Integration
Red Hat, Inc.
openuc: +1.972.707.6408
mobile: +1.720.256.3933
Freenode: jrist
github/identi.ca: knowncitizen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVrcfmAAoJEMqxYTi6t2f4qfgH+waw4wwoXrPuLkYAwIAeTl6J
0QADam6ZAwEcGiN5BEHm5JzCgmSAe540K0DZB+SN0FVJneoLWSLfMLsJ2DEy9AXx
4QqWRopqeVQ6OzzpYVTcdZJgiLvcwWTjMKSg673T2F09CO8E6OGVToSEPFJkSnKw
th2gXywrI7+Ty/I2l/RxXiKUVxqBB2PPv40K1KmULtiQntBvJlNeTJNbsOnB5Gij
Nodh470O2C83ow14ObQRy9HkIdnp7hvPcOLrfu8pcYUpFpG+YsuWXwf9PKJEsCcu
scmMW92WQDAVAGtfFz0qLPtoZqIPHotCMqTM5pk12zuTfqdORiLeBDsfWWkl/dI=
=gd7p
-----END PGP SIGNATURE-----

–
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups “foreman-dev” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Daniel Lobato Garcia

@eLobatoss
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato

ohadlevy · July 21, 2015, 2:44pm

>
>
>>
>>
>>
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Whilst writing an app that launches Undercloud install and then
>>> subsequently installs an Overcloud (tripleO) on OpenStack, I ran into
>>> the issue of having to store the credentials that return from the
>>> Undercloud install.
>>>
>>> What might be the best way? I guess ideally the credentials would be
>>> stored securely, but at this point I'm curious what the best route for
>>> this within Foreman would be regardless.
>>>
>>> Does someone have any experience with this?
>>>
>>
>> if its considered a compute resource in foreman, then it we store it in
>> the db encrypted. note - most people in here do not understand what you
>> mean by over/under cloud etc.
>>
>
> So it'd be which API call? There are a half dozen ways of using attributes
> for compute resources?
>
sorry, you are being cryptic… I'm not following.

Ohad

···

On Tue, Jul 21, 2015 at 5:41 PM, wrote: > On Tuesday, July 21, 2015 at 1:24:18 AM UTC-6, ohadlevy wrote: >> On Tue, Jul 21, 2015 at 7:17 AM, Jason Rist wrote:

Ohad

Thanks
Jason

–
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

dLobatog · July 22, 2015, 12:09pm

>
>
> >
> >
> >
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> Whilst writing an app that launches Undercloud install and then
> >> subsequently installs an Overcloud (tripleO) on OpenStack, I ran into
> >> the issue of having to store the credentials that return from the
> >> Undercloud install.
> >>
> >> What might be the best way? I guess ideally the credentials would be
> >> stored securely, but at this point I'm curious what the best route for
> >> this within Foreman would be regardless.
> >>
> >> Does someone have any experience with this?
> >>
> >
> > if its considered a compute resource in foreman, then it we store it in
> > the db encrypted. note - most people in here do not understand what you
> > mean by over/under cloud etc.
> >
>
> So it'd be which API call? There are a half dozen ways of using attributes
> for compute resources?

Which API call to store the credentials and encrypt them?

POST api/v2/compute_resources
PUT api/v2/compute_resources

should do it. Any time the password changes it's automatically encrypted
thanks to

github.com

theforeman/foreman/blob/develop/app/models/compute_resource.rb#L7


class ComputeResource < ApplicationRecord
include Taxonomix
include Encryptable
include Authorizable
include Parameterizable::ByIdName
encrypts :password


validates_lengths_from_database


audited :except => [:password, :attrs]
serialize :attrs, Hash
has_many :trends, :as => :trendable, :class_name => "ForemanTrend"
belongs_to :http_proxy


before_destroy EnsureNotUsedBy.new(:hosts)
validates :name, :presence => true, :uniqueness => true
validate :ensure_provider_not_changed, :on => :update

Find more info about the API syntax here
http://theforeman.org/api_v2.html

···

On 07/21, jrist@redhat.com wrote: > On Tuesday, July 21, 2015 at 1:24:18 AM UTC-6, ohadlevy wrote: > > On Tue, Jul 21, 2015 at 7:17 AM, Jason Rist > > wrote:

Ohad

Thanks
Jason

–
You received this message because you are subscribed to the Google Groups “foreman-dev” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Daniel Lobato Garcia

@eLobatoss
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato