Keystone: User CreateOpts for password field#709
Conversation
dlaw4608
changed the title
There was a problem hiding this comment.
Hi @dlaw4608, thanks for adding this, a very important field for the user controller. I would like to highlight a few things:
- I believe we need to change the logic to reconcile the password. Testing locally on my environment, I was not able to change the user password by simply changing the value of the
passwordkey in the secret. We need to identify a change in the secret upfront and then perform a PATCH operation[1] to properly update the password. We may want to add a new reconciler to the resource. Does it make sense? - From a user perspective, I believe it would be good to give the user the ability to pass the password encoded with base64. Testing locally, I chose to use the
datakey instead ofstringData, and the password wasn't changed as expected. Not sure if this is a real requirement, but I would like to highlight this.
[1] https://docs.openstack.org/api-ref/identity/v3/index.html#update-user
edit: I just realized you intended to add only the Create option for passwords. If so, you can ignore the first bullet point at this moment.
| name: user-sample | ||
| spec: | ||
| cloudCredentialsRef: | ||
| cloudName: devstack-admin |
There was a problem hiding this comment.
Maybe a change during development. Let's stick with openstack-admin for consistency. Wdyt?
| name: user-sample | ||
| spec: | ||
| cloudCredentialsRef: | ||
| cloudName: devstack-admin |
| spec: | ||
| cloudCredentialsRef: | ||
| cloudName: openstack-admin | ||
| cloudName: devstack-admin |
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: user-sample | ||
| type: Opaque | ||
| stringData: | ||
| password: "TestPassword" |
There was a problem hiding this comment.
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: user-sample | |
| type: Opaque | |
| stringData: | |
| password: "TestPassword" | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: user-sample | |
| type: Opaque | |
| stringData: | |
| password: "TestPassword" |
A few blank spaces at the beginning. Let's remove them for better indentation.
api/v1alpha1/user_types.go
Outdated
|
|
||
| // password is the password set for the user | ||
| // +optional | ||
| Password *PasswordSpec `json:"password,omitempty"` |
There was a problem hiding this comment.
Why don't we keep it simple and pass the SecretRef directly here? Any advantage of using a struct?
There was a problem hiding this comment.
+1 on this, not sure there is a point in warping it in an additional struct
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: user-create-full | ||
| type: Opaque | ||
| stringData: | ||
| password: "TestPassword" No newline at end of file |
There was a problem hiding this comment.
Probably you also need to add a new user-dependency-no-password-secret or something like that at 00-create-resources-missing-deps.yaml to properly test the dependency with this secret, and complete the deletion later as well.
website/docs/crd-reference.md
Outdated
|
|
||
|
|
||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
ooc: why do we have so many blank lines here? 🧐
There was a problem hiding this comment.
that's just how the github.com/elastic/crd-ref-docs package works AFAIK.
There was a problem hiding this comment.
BTW, I updated it in #716 and now we'll need to re-generate the assets.
eshulman2
left a comment
eshulman2
left a comment
There was a problem hiding this comment.
very quick and shallow review (need to come back to this one)
|
|
||
| handleNameUpdate(&updateOpts, obj, osResource) | ||
| handleDescriptionUpdate(&updateOpts, resource, osResource) | ||
| handleEnabledUpdate(&updateOpts, resource, osResource) |
There was a problem hiding this comment.
Missing password update logic, I would suggest adding it here to allow password changing and address what @winiciusallan was mentioning about password not changing when changing the secret
There was a problem hiding this comment.
We can leave the password update for a later time if this gets too complicated in this PR. We would just need to make the field immutable for now.
However, in case we want to permit the creation of users without providing a password as it is now, then we must return the one that OpenStack generated for us (in a secret). Otherwise, we should make the password field required (this would actually .
api/v1alpha1/user_types.go
Outdated
|
|
||
| // password is the password set for the user | ||
| // +optional | ||
| Password *PasswordSpec `json:"password,omitempty"` |
There was a problem hiding this comment.
+1 on this, not sure there is a point in warping it in an additional struct
mandre
left a comment
mandre
left a comment
There was a problem hiding this comment.
Right now the user controller is not very useful, and it can only be used when importing existing users (we can create users too, but they can't be used because we don't expose the generated password).
My recommendation for this PR: let's focus on making managed Users more useful by making the new password field required. We can switch it to optional later, once we have a mechanism for exposing the generated password. Let's also make the password field immutable for now until we're ready to update it. It may be a bit tricky because we'll need to watch both the passwordRef and the referenced password.
website/docs/crd-reference.md
Outdated
|
|
||
|
|
||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
that's just how the github.com/elastic/crd-ref-docs package works AFAIK.
website/docs/crd-reference.md
Outdated
|
|
||
|
|
||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
BTW, I updated it in #716 and now we'll need to re-generate the assets.
api/v1alpha1/user_types.go
Outdated
| // +optional | ||
| Enabled bool `json:"enabled,omitempty"` | ||
|
|
||
| // passwordExpiresAt filters the response based on expriing passwords. |
There was a problem hiding this comment.
This does not properly describe the passwordExpiresAt status field
There was a problem hiding this comment.
Also, it looks like we're not populating this new field in status.go.
|
|
||
| handleNameUpdate(&updateOpts, obj, osResource) | ||
| handleDescriptionUpdate(&updateOpts, resource, osResource) | ||
| handleEnabledUpdate(&updateOpts, resource, osResource) |
There was a problem hiding this comment.
We can leave the password update for a later time if this gets too complicated in this PR. We would just need to make the field immutable for now.
However, in case we want to permit the creation of users without providing a password as it is now, then we must return the one that OpenStack generated for us (in a secret). Otherwise, we should make the password field required (this would actually .
Add a `passwordRef` field to `UserResourceSpec` that references a Secret containing the user's password. Make this field required until we add the ability to expose auto-generated passwords from Keystone. This field is also currently immutable. Also populate `passwordExpiresAt` in status when Keystone has password expiration configured. Co-Authored-By: Martin André <m.andre@redhat.com>
|
@dlaw4608 I took the liberty to update your patch so that we can merge it soon, hope you don't mind. I chose to make the |
dlaw4608
left a comment
dlaw4608
left a comment
There was a problem hiding this comment.
@mandre thanks for getting this over the line, your change making the passwordRef field mandatory makes sense especially for this first iteration, the next step now is to include the ability to update the password of a user, but again that is for a future PR. LGTM I'd say it's ready to go 👍
4 participants
Fixes: #703
Follow up for User Controller PR that was recently merged #657,
Current Progress:
password fieldworks fine (E2E tests passing, password when created will be stored as aSecretRef.