MAAS

Merge ~ltrager/maas:vcenter_creds_ui into maas:master

  1. Git
  2. lp:~ltrager/maas
  3. vcenter_creds_ui
  4. Merge into master
Proposed by Lee Trager
Status: Merged
Approved by: Lee Trager
Approved revision: 95e5c8e31c89c86b7928e9a01d5611af7128d31a
Merge reported by: MAAS Lander
Merged at revision: not available
Proposed branch: ~ltrager/maas:vcenter_creds_ui
Merge into: maas:master
Diff against target: 127 lines (+52/-2)
4 files modified
src/maasserver/forms/__init__.py (+9/-0)
src/maasserver/templates/maasserver/settings_general.html (+16/-0)
src/maasserver/views/settings.py (+10/-1)
src/maasserver/views/tests/test_settings.py (+17/-1)
Reviewer Review Type Date Requested Status
Björn Tillenius Approve
Review via email: mp+365985@code.launchpad.net

Commit message

Allow settings vCenter credentials on the settings page in the UI.

To post a comment you must log in.
~ltrager/maas:vcenter_creds_ui updated
95e5c8e... by Lee Trager

s/windows/vcenter/g

Revision history for this message
Björn Tillenius (bjornt) wrote :

The code itself looks good. But i'd like to take the opportunity to clarify how this is expected to work.

Do we have the workflow written down somewhere?

I'm a bit concerned that the description says that the credentials are being sent to the deployed how. So how do we prevent a normal user to be able to access those credentials?

review: Needs Information
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Those credentials are sent to the node via the bender data, the same way we
send other administrative data that no other users have access.

This is the same way you wouldn’t send landscape credentials via cloud-init
for auto config.

On Mon, Apr 15, 2019 at 3:44 AM Björn Tillenius <email address hidden> wrote:

> Review: Needs Information
>
> The code itself looks good. But i'd like to take the opportunity to
> clarify how this is expected to work.
>
> Do we have the workflow written down somewhere?
>
> I'm a bit concerned that the description says that the credentials are
> being sent to the deployed how. So how do we prevent a normal user to be
> able to access those credentials?
> --
> https://code.launchpad.net/~ltrager/maas/+git/maas/+merge/365985
> Your team MAAS Committers is subscribed to branch maas:master.
>
> Launchpad-Message-Rationale: Subscriber @maas-committers
> Launchpad-Message-For: maas-committers
> Launchpad-Notification-Type: code-review
> Launchpad-Branch: ~maas-committers/maas/+git/maas:master
> Launchpad-Project: maas
>
--
Andres Rodriguez (RoAkSoAx)
Ubuntu Server Developer
MSc. Telecom & Networking
Systems Engineer

Revision history for this message
Björn Tillenius (bjornt) wrote :

So I think this deserves a write-up to discuss what attack vector we protect against, and which we don't. Sending anything to the nodes open up a range of attach vectors, and considering these are shared global credentials, we should be clear on how they can be exposed to users that shouldn't have access to them.

Revision history for this message
Andres Rodriguez (andreserl) wrote :

That however, sits outside of the scope of this branch!

On Mon, Apr 15, 2019 at 4:51 AM Björn Tillenius <email address hidden> wrote:

> So I think this deserves a write-up to discuss what attack vector we
> protect against, and which we don't. Sending anything to the nodes open up
> a range of attach vectors, and considering these are shared global
> credentials, we should be clear on how they can be exposed to users that
> shouldn't have access to them.
> --
> https://code.launchpad.net/~ltrager/maas/+git/maas/+merge/365985
> Your team MAAS Committers is subscribed to branch maas:master.
>
> Launchpad-Message-Rationale: Subscriber @maas-committers
> Launchpad-Message-For: maas-committers
> Launchpad-Notification-Type: code-review
> Launchpad-Branch: ~maas-committers/maas/+git/maas:master
> Launchpad-Project: maas
>
--
Andres Rodriguez (RoAkSoAx)
Ubuntu Server Developer
MSc. Telecom & Networking
Systems Engineer

Revision history for this message
Björn Tillenius (bjornt) wrote :

We discussed this on the standup. As mentioned, my comments weren't on this branch in particular, but rather on the feature as whole.

So I'm approving this branch, and then Lee can update the spec and make it so that only admins and operators can deploy machines using these credentials.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/src/maasserver/forms/__init__.py b/src/maasserver/forms/__init__.py
index d1e653c..4d90cea 100644
--- a/src/maasserver/forms/__init__.py
+++ b/src/maasserver/forms/__init__.py
@@ -62,6 +62,7 @@ __all__ = [
62 "UpdateRaidForm",62 "UpdateRaidForm",
63 "UpdateVirtualBlockDeviceForm",63 "UpdateVirtualBlockDeviceForm",
64 "UpdateVolumeGroupForm",64 "UpdateVolumeGroupForm",
65 "VCenterForm",
65 "WindowsForm",66 "WindowsForm",
66 "ZoneForm",67 "ZoneForm",
67 ]68 ]
@@ -1736,6 +1737,14 @@ class WindowsForm(ConfigForm):
1736 windows_kms_host = get_config_field('windows_kms_host')1737 windows_kms_host = get_config_field('windows_kms_host')
17371738
17381739
1740class VCenterForm(ConfigForm):
1741 """Settings page, VMware vCenter section."""
1742 vcenter_server = get_config_field('vcenter_server')
1743 vcenter_username = get_config_field('vcenter_username')
1744 vcenter_password = get_config_field('vcenter_password')
1745 vcenter_datacenter = get_config_field('vcenter_datacenter')
1746
1747
1739class GlobalKernelOptsForm(ConfigForm):1748class GlobalKernelOptsForm(ConfigForm):
1740 """Settings page, Global Kernel Parameters section."""1749 """Settings page, Global Kernel Parameters section."""
1741 kernel_opts = get_config_field('kernel_opts')1750 kernel_opts = get_config_field('kernel_opts')
diff --git a/src/maasserver/templates/maasserver/settings_general.html b/src/maasserver/templates/maasserver/settings_general.html
index 636f153..5f5e97d 100644
--- a/src/maasserver/templates/maasserver/settings_general.html
+++ b/src/maasserver/templates/maasserver/settings_general.html
@@ -130,6 +130,22 @@
130130
131 <div class="p-strip is-bordered">131 <div class="p-strip is-bordered">
132 <div class="row">132 <div class="row">
133 <div id="vcenter" class="col-8">
134 <h2 class="p-heading--four">VMware vCenter</h2>
135 <form action="{% url 'settings_general' %}" method="post">
136 {% csrf_token %}
137 <ul class="p-list">
138 {% for field in vcenter_form %} {% include "maasserver/form_field.html" %} {% endfor %}
139 </ul>
140 <input type="hidden" name="vcenter_submit" value="1" />
141 <button type="submit" class="p-button--positive u-float--right">Save</button>
142 </form>
143 </div>
144 </div>
145 </div>
146
147 <div class="p-strip is-bordered">
148 <div class="row">
133 <div id="third_party_drivers" class="col-8">149 <div id="third_party_drivers" class="col-8">
134 <h2 class="p-heading--four">Third Party Drivers Configuration</h2>150 <h2 class="p-heading--four">Third Party Drivers Configuration</h2>
135 <form action="{% url 'settings_general' %}" method="post">151 <form action="{% url 'settings_general' %}" method="post">
diff --git a/src/maasserver/views/settings.py b/src/maasserver/views/settings.py
index 9d3ef97..d22f015 100644
--- a/src/maasserver/views/settings.py
+++ b/src/maasserver/views/settings.py
@@ -1,4 +1,4 @@
1# Copyright 2012-2018 Canonical Ltd. This software is licensed under the1# Copyright 2012-2019 Canonical Ltd. This software is licensed under the
2# GNU Affero General Public License version 3 (see the file LICENSE).2# GNU Affero General Public License version 3 (see the file LICENSE).
33
4"""Settings views."""4"""Settings views."""
@@ -47,6 +47,7 @@ from maasserver.forms import (
47 SyslogForm,47 SyslogForm,
48 ThirdPartyDriversForm,48 ThirdPartyDriversForm,
49 UbuntuForm,49 UbuntuForm,
50 VCenterForm,
50 WindowsForm,51 WindowsForm,
51)52)
52from maasserver.models import (53from maasserver.models import (
@@ -283,6 +284,13 @@ def general(request):
283 if response is not None:284 if response is not None:
284 return response285 return response
285286
287 # Process the VMware vCenter form.
288 vcenter_form, response = process_form(
289 request, VCenterForm, reverse('settings_general'), 'vcenter',
290 "Configuration updated.")
291 if response is not None:
292 return response
293
286 # Process the Global Kernel Opts form.294 # Process the Global Kernel Opts form.
287 kernelopts_form, response = process_form(295 kernelopts_form, response = process_form(
288 request, GlobalKernelOptsForm, reverse('settings_general'),296 request, GlobalKernelOptsForm, reverse('settings_general'),
@@ -300,6 +308,7 @@ def general(request):
300 'deploy_form': deploy_form,308 'deploy_form': deploy_form,
301 'ubuntu_form': ubuntu_form,309 'ubuntu_form': ubuntu_form,
302 'windows_form': windows_form,310 'windows_form': windows_form,
311 'vcenter_form': vcenter_form,
303 'kernelopts_form': kernelopts_form,312 'kernelopts_form': kernelopts_form,
304 'show_license_keys': show_license_keys(),313 'show_license_keys': show_license_keys(),
305 })314 })
diff --git a/src/maasserver/views/tests/test_settings.py b/src/maasserver/views/tests/test_settings.py
index d8d0ae0..5033c6e 100644
--- a/src/maasserver/views/tests/test_settings.py
+++ b/src/maasserver/views/tests/test_settings.py
@@ -1,4 +1,4 @@
1# Copyright 2012-2018 Canonical Ltd. This software is licensed under the1# Copyright 2012-2019 Canonical Ltd. This software is licensed under the
2# GNU Affero General Public License version 3 (see the file LICENSE).2# GNU Affero General Public License version 3 (see the file LICENSE).
33
4"""Test maasserver settings views."""4"""Test maasserver settings views."""
@@ -243,6 +243,22 @@ class SettingsTest(MAASServerTestCase):
243 Config.objects.get_config('commissioning_distro_series'),243 Config.objects.get_config('commissioning_distro_series'),
244 ))244 ))
245245
246 def test_settings_vcenter_POST(self):
247 self.client.login(user=factory.make_admin())
248 vcenter = {
249 'vcenter_server': factory.make_name('vcenter_server'),
250 'vcenter_username': factory.make_name('vcenter_username'),
251 'vcenter_password': factory.make_name('vcenter_password'),
252 'vcenter_datacenter': factory.make_name('vcenter_datacenter'),
253 }
254 response = self.client.post(
255 reverse('settings_general'),
256 get_prefixed_form_data(prefix='vcenter', data=vcenter),
257 )
258 self.assertEqual(http.client.FOUND, response.status_code)
259 self.assertDictEqual(
260 vcenter, Config.objects.get_configs(vcenter.keys()))
261
246 def test_settings_hides_license_keys_if_no_OS_supporting_keys(self):262 def test_settings_hides_license_keys_if_no_OS_supporting_keys(self):
247 self.client.login(user=factory.make_admin())263 self.client.login(user=factory.make_admin())
248 response = self.client.get(reverse('settings_general'))264 response = self.client.get(reverse('settings_general'))

Subscribers

People subscribed via source and target branches