Should be a way to avoid having a server password generated

[termie]

The OpenStack API will now automatically generate and return a password for you on server creation. There should be a way to specify that no password should be created or injected, for people that would prefer to use SSH keys.

---

Imported from Launchpad using lp2gh.

• date created: 2011-03-09T21:52:52Z
• owner: justin-fathomdb
• the launchpad url was https://bugs.launchpad.net/bugs/732274

[termie]

(by dan-prince) Couple of things to add to this description:

1) It was my understanding that the Openstack API 1.0 was supposed to implement the Cloud Servers spec. As 'adminPass' is in that spec it should be generated and not merely be an option.

2) The existing password generation code doesn't hurt anything if you don't want to use it. You can silently ignore returned password and make use of agents which disregard the password altogether. This issue came up on the mailing lists and it was generally decided (I thought) that there is no harm done if you don't want to use the password generation downstream with agents.

I'm not opposed to the existence of SSH keys but they certainly aren't in the spec and as such we may actually want to default to having that behavior off for this version of the API (Cloud Servers v1.0, etc.)

[termie]

(by justin-fathomdb) Hi Dan - I wasn't sure that we reached any agreement on the ML - I thought we just decided it was out-of-scope for that particular merge proposal and that we should open a separate issue.

I certainly agree for compatibility with CloudServers that it should default to generating the password (when using the OS API)

However, I think we should also try to have the OpenStack API be at parity with the EC2 API. It shouldn't be the case that if I want feature X (SSH keys, no pasword injection) I have to use the EC2 API, but if I want feature Y (Glance?) I have to use the OS API.

Given the code is there already for SSH key injection without password injection, I don't believe this is a big task.

On Wed, Mar 9, 2011 at 5:00 PM, Dan Prince dan.prince@rackspace.com wrote:

Couple of things to add to this description:

1) It was my understanding that the Openstack API 1.0 was supposed to implement the Cloud Servers spec. As 'adminPass' is in that spec it should be generated and not merely be an option.

2) The existing password generation code doesn't hurt anything if you don't want to use it. You can silently ignore returned password and make use of agents which disregard the password altogether. This issue came up on the mailing lists and it was generally decided (I thought) that there is no harm done if you don't want to use the password generation downstream with agents.

I'm not opposed to the existence of SSH keys but they certainly aren't in the spec and as such we may actually want to default to having that behavior off for this version of the API (Cloud Servers v1.0, etc.)

You received this bug notification because you are a direct subscriber of the bug. https://bugs.launchpad.net/bugs/732274

Title: Should be a way to avoid having a server password generated

Status in OpenStack Compute (Nova): New

Bug description: The OpenStack API will now automatically generate and return a password for you on server creation. There should be a way to specify that no password should be created or injected, for people that would prefer to use SSH keys.

To unsubscribe from this bug, go to: https://bugs.launchpad.net/nova/+bug/732274/+subscribe

[termie]

(by markwash) Justin,

Is the goal here to make ssh key use possible in os api? Or to make the existence (and transmission) of a root password optional?

If it is the former, I think my bug fix in lp727225 will give you what you want.

Thanks!

[termie]

(by justin-fathomdb) In this case, it's the latter: I think we should support good security "out of the box" if we can without a lot of extra work, and I think we definitely can in this case. Of course, I have you to thank for that with 727255!

[termie]

(by ttx) Justin: I agree that you shouldn't have to use EC2 API if you want SSH keys and no password injection. I think Dan's point is that merely generating a password doesn't really force you to inject it. Your choice of guest agent (agent-smith, cloud-init, ...) will decide what exactly is done with the proposed password (i.e. injection is controlled by the guest image used)