search

sonata-nfv / son-gkeeper

SONATA's Service Platform Gatekeeper
http://www.sonata-nfv.eu
Apache License 2.0
2 stars 18 forks source link

User Management creates a customer's keypair for FSM #890

Open dang03 opened 7 years ago

dang03 commented 7 years ago

Additional functionality required when a service is instantiated. User Management creates a customer's keypair at registration time. This keypair will be stored in the UM MongoDB database and available to the GK API through UM API /api/v1/users?username=. More info: How the FSM accesses each VM of a given Service Instance

dang03 commented 6 years ago

In order to retrieve end-user's (customer type) keypair required to inject to the instances, both Gatekeeper and/or SLM can send request to:

DarioValocchi commented 6 years ago

I'm implementing the IA side of this issue. What is the format that will be used to serialise the pub/priv keypair? I'd like to test in advance key serialisation format recognised/accepted by OpenStack.

DarioValocchi commented 6 years ago

currently, tests worked out well with the openSSH pub-key format

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCwMdTrMDW/8uclfU7ogCMCnIPqOmmpfKZ9E2Irb6enP+UIOZ6xLDQmhRqWw7Eob6j3P7Nh4112YD1TGHaXMtk05eaLsW7MLSpOXPuLX14a2HCzigTj76/YqWGnHwgDo0HoK7LJ8Jk89HDr96nGhFclmbss+IgCbjoJXOJtQ+JS2Q== dario@darioHost
dang03 commented 6 years ago

The keypair is generated using OpenSSL lib (OpenSSL::PKey::RSA.new(2048)), then it is encapsulated to PEM format, i.e.:

DarioValocchi commented 6 years ago

I tested OpenStack KeyPair resource trying to feed it with a PEM formatted public key, but apparently that is not supported. Is it possible to serialise or convert the public key in the openSSH format?

dang03 commented 6 years ago

I'm investigating which are the output supported formats. It is possible to directly store RSA format instead of PEM.

dang03 commented 6 years ago

Hi @DarioValocchi I changed the output format for the public keys. While private keys are being stored in the same PEM format, instances_public_key provides the next openssh format:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqMemN8JA9VO2lnO4fvHlmpkCrK4pA4WRIjWPG0ch4gItv+................./d/6ClfWH32fZuNM3VVAfN5qa56B

Please, check if is this works properly with Openstack.

DarioValocchi commented 6 years ago

Hi @dang03 This format has been already tested, and a module test is included in the package test of the IA. Keypair is created runtime with JAVA JSch package, which uses the same format you specified, a test VNF is deployed and ssh login attempt is done by the test package. sonata-nfv/son-sp-infrabstract#119 Next step is include this flow in the integration test SLM/IA

tsoenen commented 6 years ago

@dang03 @jbonnet : How does the SLM retrieve the keys. Is it included in the service instantiation request from the GK to the SLM, or should the SLM request it directly from the UM API? Is the SLM allowed to use the UM API?

jbonnet commented 6 years ago

Well, @tsoenen... 'Allowed' is a strong word! I still think there are advantages in having a clean architecture: just like the customer's email, the GTK can retrive the key(s) from the UM and inject them in the instantiation request to the SLM...

Is this urgent?

tsoenen commented 6 years ago

@jbonnet Semi-urgent I would say. It would be great if we could close this cycle (including SLM adjustments) by the end of this week.

jbonnet commented 6 years ago

Ok, @tsoenen ... @dang03 I'll implement this, referring to one of comments above... or do you want to do it?

jbonnet commented 6 years ago

To be implemented under #943 (the Gatekeeper part). @tsoenen:

  1. does the SLM needs both the public and the private keys?
  2. is it ok to include them under the user_data:customer keys, just like the email and phone(see #891)? 
    user_data:
customer:
email: ...
phone: ...
keys:
  public: ...
  private: ...
tsoenen commented 6 years ago

Yeah, SLM needs both.

I agree with the example

jbonnet commented 6 years ago

Ok, starting it...