Host validation #22336
Host validation #22336
Conversation
kbrock
force-pushed
the
host_validation
branch
2 times, most recently
from
64acfc7 to
fda6839
Compare
app/models/host.rb
Outdated
| # Prevent the connection details, including the password, from being leaked into the logs | ||
| # and MiqQueue by only returning true/false | ||
| !!verify_credentials(*args) | ||
| auth = options.delete('credentials') || options.delete(:credentials) |
There was a problem hiding this comment.
Do we have to handle either or could we enforce one-or-the-other?
app/models/host.rb
Outdated
| # some providers (i.e.: openstack) want to use something other than ws as a default | ||
| def verify_credentials_default(auth_type, _options) | ||
| verify_credentials_with_ws(auth_type) | ||
| end | ||
|
|
There was a problem hiding this comment.
Would it be fair to say the inverse, that vmware wants to use ws as the default?
Also am I reading this wrong or does openstack "default" to ws as well?
case auth_type.to_s
when 'remote', 'default', 'ssh_keypair' then verify_credentials_with_ssh(auth_type, options)
when 'ws' then verify_credentials_with_ws(auth_type)
when 'ipmi' then verify_credentials_with_ipmi(auth_type)
else
verify_credentials_with_ws(auth_type)
end
There was a problem hiding this comment.
no. openstack does not implement ws.
so while I agree with you that they fall through to ws, that means they will throw an error.
They modified this method so default and ssh_keypair to go to ssh. If they had not added those cases, those would have fallen through to the else (the default). Swapping that to be ssh seems more in spirit with what we want and is less code change.
So I interpret this as they default to ssh, but they just left the else code because they didn't understand the implications.
In the end, I am extracting credentials outside of this method. Too many methods override this. I no longer have to make this change, but it is still weighing on my mind.
There was a problem hiding this comment.
I do wonder what the default should be for the base class (and openstack).
Still think HostEsx should default to ws, but think the others should be ssh
There was a problem hiding this comment.
you read this correctly.
vmware EsxHost is the only one that wants ws as the default
but we have it setup that ws is the default for all
Most of the providers have overwritten verify_credentials so I'm unsure if this method helps us that much.
There was a problem hiding this comment.
@agrare I just understood your question. I like the idea of using ssh as the default and changing the default for VMware EsxHost - probably the only one that actually implements ws
There was a problem hiding this comment.
👍 yes if VMware is the only different one seems better to flip the default
kbrock
force-pushed
the
host_validation
branch
from
fda6839 to
865998f
Compare
|
update:
|
verification is transforming to using task Changing the tests to make it more obvious when the values are getting set
the logic was interpreting (:save => false) as the authtype
| @@ -639,10 +639,13 @@ def verify_credentials_task(userid, auth_type = nil, options = {}) | |||
| MiqTask.generic_action_with_callback(task_opts, queue_opts) | |||
| end | |||
|
|
|||
| def verify_credentials?(*args) | |||
| def verify_credentials?(auth_type = nil, options = {}) | |||
| # Prevent the connection details, including the password, from being leaked into the logs | |||
| # and MiqQueue by only returning true/false | |||
There was a problem hiding this comment.
Hmm, this comment is no longer true.
We are now putting the new password into the queue. It is the only way I could think of passing the new password to the ems_operations worker (who is actually verifying the password)
@agrare are you ok with putting the prospective credentials onto the queue?
There was a problem hiding this comment.
Yes as long as it is filtered out in the logs as a ManageIQ::Password object (this is the same for the EMS verify_credentials method)
There was a problem hiding this comment.
I just remembered why we have this comment (was reviewing the VerifyCredentialsMixin that ExtManagementSystem uses). It was so that the results weren't leaked into the logs, not the parameters.
In the ui we need to test new credentials. These are not the credentials stored in the host. So we need to pass these new credentials over the wire to the ems_operations worker to test introduced a default case. vmware will override with ws, but others prefer ssh
|
update:
|
|
Checked commits kbrock/manageiq@ee4c1b9~...d039070 with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint |
From Pull Request: ManageIQ/manageiq#22336
| auth = options.delete(:credentials) | ||
| update_authentication(auth, :save => false) if auth.present? |
There was a problem hiding this comment.
Hm this doesn't looks right, if we're verifying new credentials for an existing host and the verification fails then we've just overwritten the old credentials right?
Why did you have to add this? Or was this already done elsewhere that you had to move?
There was a problem hiding this comment.
This is the way it has always been done (not a fan)
We set the credentials, we pass in :save => false so they are not changed
Then we call verify on the host.
It uses the temporary values.
There was a problem hiding this comment.
We discussed this and this is required because previously the UI didn't verify host credentials over the queue, it called it directly after doing this update_authentications save => false
This is because the Host#verify_credentials* methods only work off of the authentications association not on new credentials passed in as arguments.
I'm 👍 with this for now so that we can get this running properly over the queue and then we can come back and improve the verify_credentials&friends methods to work more closely to how we verify ems creds.
|
@kbrock in a follow-up could we use the |
|
Cross-repo is only failing on the unrelated api authentication specs |
The methods are just a tad different. Also the internals seem a little different, but I will revisit. |
|
kicking now that vmware change is in. |
part of of ManageIQ/manageiq-ui-classic#8608
depends upon:
dependent of:
In the ui (read: api), we need to test new credentials.
These are not the credentials stored in the host.
So we need to pass these new credentials over the wire to the
ems_operationsworker to test.validate_credentials?pulls those credentials out and applies to the host (withoutsave)Updated host to call a default authentication method so different providers like vmware and openstack can choose different defaults for verify credentials
/cc @MelsHyrule