OpenCHAMI / smd

MIT License
0 stars 4 forks source link

[DEV] Open up /Inventory/RedfishEndpoints for GET Requests #32

Closed synackd closed 1 month ago

synackd commented 1 month ago

Description Currently, the /Inventory/RedfishEndpoints endpoint requires a token for GET requests because BMC passwords are stored there. It is my understanding that this information was originally needed for SMD to do discovery; however, since that functionality has been moved to Magellan, it doesn't seem that there is a need to keep this information in SMD.

Also, other tools like the Configurator and DHCP service need to be able to read information from RedfishEndpoints to generate config files and serve DHCP leases (respectively), and needing to present a token makes workflows using these tools more complex and presents the temptation to store tokens insecurely.

Unless there is a reason to keep BMC passwords in SMD, this issue is focused on two tasks:

  1. Removing sensitive BMC information from SMD
  2. Removing the authentication requirement for GET requests to /Inventory/RedfishEndpoints

Definition of Done Users/Tools are able to GET /Inventory/RedfishEndpoints without having to present a token, but are still required to present a token for POST/PUT/PATCH/DELETE to this endpoint. Results from a GET request to this endpoint do not include sensitive BMC information, especially the BMC password.

Additional context N/A

evanmcc commented 1 month ago

One of our needs at LBL is support for tools like a power control service and remote console access. These tools (at least the console service) will require the BMC passwords.

I've only used magellan with a manually supplied password, is there some automated functionality there that these tools could use?

If not, would it be possible to have an insecure and secure version of the endpoint?

alexlovelltroy commented 1 month ago

The actual credentials on a production system should be stored separately and rotated frequently. Vault seems well suited for this. Would it be reasonable to store a url from which the credentials can be retrieved instead of the credentials themselves? I think that would remove the need for secure vs insecure endpoints as well.

evanmcc commented 1 month ago

Yes, that makes sense. I feel like ideally these system management tools could be as state-light as possible, relying almost entirely on smd for node discovery and configuration.

Mapping the configuration node => vault endpoint might be a bit tricky, but probably worth the effort for not having to have all this information in multiple places.

synackd commented 1 month ago

store a url from which the credentials can be retrieved instead of the credentials themselves? I think that would remove the need for secure vs insecure endpoints as well.

Is that the way we should start going for this? Do we need to think about having instructions in OpenCHAMI on pointing to credentials via URL?

synackd commented 1 month ago

There have been recent additions to SMD (https://github.com/OpenCHAMI/smd/pull/34, https://github.com/OpenCHAMI/smd/pull/35) and Magellan (https://github.com/OpenCHAMI/magellan/pull/62) that allow BMC information (e.g. MAC and IP addresses) to be stored in Components/EthernetInterfaces. This eliminates my need to query RedfishEndpoints for this info, which was my impetus of this issue.

Do we still want to keep this issue open to discuss credential management or open a new one for it?

alexlovelltroy commented 1 month ago

Let's open a new issue for securely and simply managing BMC credentials.