Jump to: navigation, search

Nova/Blueprints/vmware-plaintext-vcenter-passwords

Design Goal

One of the primary concerns to customers using OpenStack is the use of plaintext passwords in conf files. This blueprint's goal is scoped only to the concern of the VMware vCenter/ESX passwords found in nova.conf. When using the vCenter driver, a usernames and passwords are stored in plain text inside the nova.conf file in order to establish a connection to the remote hypervisor. The goal is to protect access to such passwords. This can be done in a number of ways, but the below solution outlines a technique using existing OpenStack infrastructure.

Solution

The proposed solution is to give a user the capability to put the vCenter user and password in the keystone credential store instead of nova.conf. The keystone credential store database access is secured through use of the nova user and password.

The vmware driver would first check the 'vmware' section of the nova.conf for the host_ip, host_username, and host_password. Only in the case where host_username and/or host_password are not found in nova.conf, does the driver contact keystone to search for an appropriate credential.

The credential store in keystone does not have a strict schema. The most common type of credential used there is 'ec2'. This blueprint introduces a new type of string 'vmware'. The credential blob is encoded with three fields host_ip, host_username, and host_password, matching those found in nova.conf. The host_ip is required in order to match the specific host being used by this nova compute instance.

Here is an example of the metadata for this credential:

Id: 3cb25d0da8084f7d889548f8dd77df3b
User: nova (e29969d944314e15a5d02556b2298745)
Type: vmware
Blob: {"host_username": "root", "host_ip": "127.0.0.1", "host_password": "password"}

Prerequisites

In order to take advantage of this feature, the credential must be prepopulated in the keystone credential store prior to starting the nova compute instance. In order to do this, a user would need to use curl, REST client, or some other script to create the credential in keystone. The keystone client does not support creation of credentials (mostly because of the lack of v3 support). The future openstack client does allow creation of credentials, but only of type 'ec2' and 'cert'. In the future, hopefully the openstack client could be extended to allow an type as the API does.

Usage

  1. Create credential in keystone with type='vmware', host_ip matching that in nova.conf, and user_id of the nova user.
  2. Edit /etc/nova/nova.conf and remove host_username and host_password from the vmware section
  3. Restart that nova compute instance. Check for errors.