Comments (10)
The order of resolution seems incorrect, iv and v should be swapped. This is a first found resolution, therefore Environrment variables should be resolved first, because they take precedence over the configuration files.
from linchpin.
I think some clarification on what these things mean might be helpful. I agree that environment variables take precedence, except when a value is passed on the command line.
The 'creds_path' value listed here is actually a command line option. It should have been --creds-path
, which the click library will turn into creds_path
variable. The environment variable associated with this can also be used. Thus, the order should l probably be closer to:
--creds_path
on the cliLINCHPIN_CREDS
(which is passed via thecreds_path
variable using click)- ENV_VARS (
OS_USERNAME
, etc...) - credentials folder in workspace, with appropriate directory structure and config file
- default credentials (eg.
/etc/clouds.yaml
)
@samvarankashyap, @gsr-shanks what do you think?
from linchpin.
This is being addressed by a newly designed auth driver. @samvarankashyap, will you provide a basic design concept here in the near future?
from linchpin.
https://trello.com/c/xd2oh4z3/102-5-ci-provisioning-linch-pin-auth-driver linking in trello card for reference.
from linchpin.
After the design discussion, an update to our topology and command-line functionality is needed. It essentially came to this example topology:
---
topology_name: "example_topo"
site: "qeos"
resource_groups:
credentials:
- profile: e2e-openstack
- auth_type: file:secure.yaml
res_group_type: "openstack"
res_defs:
-
res_name: "ha_inst"
flavor: "m1.small"
res_type: "os_server"
image: "rhel-6.5_jeos"
count: 1
keypair: "ci-factory"
networks:
- "e2e-openstack"
-
resource_group_name: "testgroup1"
credentials:
- profile: ec3-awesome
- auth_type: file:ec3.ini
res_group_type: "aws"
res_defs:
-
res_name: "web_inst"
flavor: "m1.small"
res_type: "ec2"
image: "rhel-6.5_jeos"
count: 1
keypair: "ci-factory"
networks:
- "e2e-openstack"
from linchpin.
As per discussion with @herlo . We came to following agreements:
- The credentials will be handled by default mechanism followed by ansible modules (i.e, ENV variables) if not provided .
- However , end user will have an option to override the credentials by providing --cred-path LINCHPIN_CREDS environment variable which should point to one or more folder paths.
- If there is no override, the credentials will be searched in "credentials" folder in the Linchpin workspace.
- All the credentials will be resolved by the credential file name.
- If there are multiple credential_paths are given they are resolved on first found basis.
- Order of resolution:
i. creds_path
ii. LINCHPIN_CREDS env var
iii. credentials folder in workspace
iv. Environment variables ( OS_USERNAME, AWS_SECRETID etc.,)
v. default creds, ie., clouds.yaml/ boto.ini
from linchpin.
IMO the order should be:
- LINCHPIN_CREDS env var
- Environment variables ( OS_USERNAME, AWS_SECRETID etc.,)
- creds_path
- credentials folder in workspace
- default creds, ie., clouds.yaml/ boto.ini
First 2 are env vars which takes precedence over any and the next 2 require user action before the default kicks in.
- shanks
from linchpin.
With the current workflow it would be difficult to accommodate the above resolution. But, I feel following is better.
- --creds_path on the cli ( possible)
- LINCHPIN_CREDS (which is passed via the creds_path variable using click) ( possible use env var if not mentioned)
- credentials folder in workspace, with appropriate directory structure and config file
- ENV_VARS (OS_USERNAME, etc...)
- default credentials (eg. /etc/clouds.yaml) as these are creds configured system wide. ~/.boto.ini
env_vars becomes the last resort of nothing is mentioned anywhere. (including the topology file making credentials parameter optional)
I feel one should resolve to defaults if there is no credentials are mentioned.
I assume, 4 and 5 are handled by default by the respective modules of openstack and aws ansible modules.
@herlo @gsr-shanks Let me know your opinion . ?
from linchpin.
To clarify, the option is --creds-path
on the cli (with a dash, not an underscore). Click converts this to creds_path
(with an underscore).
As for the order of resolution, I can agree with both points of view. What if we were to remove the credentials folder requirement? A user can still have that simply by pointing the --creds-path
or LP_CREDENTIALS
to the workspace path.
from linchpin.
Credentials Management / Authentication Driver
from linchpin.
Related Issues (20)
- AWS EC2 provisioning fails when `count` is not set
- Example link deprecated
- no_monitor option cannot be set in linchpin.conf
- Error message showing up during linchpin container build HOT 1
- Linchpin installation fails on centos8 due to openstacksdk error
- Linchpin 1.7.2 failing on openstack provisioning on python 2.7 release
- Linchpin 2.0 fails on latest version of tinydb 4.0
- Packaging process disabled HOT 7
- Beaker payload definition - Add support for reservesys XML element
- Failed to provision openstack port with os_port due to missing network param
- can't successfully buildh linchpin container followed by official documentation HOT 7
- failed: [localhost] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false} HOT 4
- TypeError: get() got an unexpected keyword argument 'eid' HOT 5
- Can't successfully destroy provisioned VM based on contrainfra/linchpin HOT 4
- Support and document how to create blank libvirt VMs HOT 5
- 'linchpin_mock' is undefined HOT 5
- Failed to destroy beaker machine HOT 9
- [OpenStack] Additional Volumes should be cleaned when I hit linchpin destroy HOT 4
- Provisioning from beaker is failed on fedora 33 HOT 3
- Possible Improvement Scope: Leftover Installation in the Ansible test scripts HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linchpin.