StarlingX Authentication and Authorization¶
About this task
StarlingX REST API, CLI and Horizon/GUI authentication is automatically configured to use Keystone user and password for authentication. See Keystone Accounts for details.
StarlingX REST API , CLI and Horizon/GUI authorization is automatically configured to use Keystone roles for authorization. See Keystone Account Roles for details to assign Keystone roles to Keystones users and details on supported Keystone roles.
StarlingX Horizon/GUI Configuration¶
Configure HTTP and HTTPS Ports for Horizon Using the CLI¶
Horizon is set up to use secure HTTPS connections by default, and regular HTTP is disabled. If needed for backwards compatibility reasons, you can turn HTTP back on, although it is not recommended.
You can configure the HTTP / HTTPS ports for accessing the Horizon Web interface using the CLI.
To access Horizon, use http://<external OAM IP>:8080. By default, the ports are HTTP=8080, and HTTPS=8443.
Prerequisites
You can configure HTTP / HTTPS ports only when all hosts are unlocked and enabled.
About this task
Use the system service-parameter-list --service=http command to list the configured HTTP, and HTTPS ports.
~(keystone_admin)]$ system service-parameter-list --service http
+---------+----------+---------+------------+-------+------------+--------+
| uuid | service | section | name | value |personality |Resource|
+---------+----------+---------+------------+-------+------------+--------+
| 4fc7... | http | config | http_port | 8080 | None |None |
| 9618... | http | config | https_port | 8443 | None |None |
+---------+----------+---------+------------+-------+-------------+-------+
Procedure
Use the system service-parameter-modify command to configure a different port for HTTP, and HTTPS. For example,
~(keystone_admin)]$ system service-parameter-modify http config http_port=8090 ~(keystone_admin)]$ system service-parameter-modify http config https_port=9443
Apply the service parameter change.
~(keystone_admin)]$ system service-parameter-apply http Applying http service parameters
Note
Do not use ports used by other services on the platform, OAM and management interfaces on the controllers, or in custom applications. For more information, see, StarlingX Security: Default Firewall Rules.
If you plan to run StarlingX OpenStack, do not reset the ports to 80/443, as these ports may be used by containerized OpenStack, by default.
Postrequisites
A configuration out-of-date alarm is generated for each host. Wait for the configuration to be automatically applied to all nodes and the alarms to be cleared on all hosts before performing maintenance operations, such as rebooting or locking/unlocking a host.
Configure Horizon User Lockout on Failed Logins¶
For security, login to the Web administration interface can be disabled for a user after several consecutive failed attempts. You can configure how many failed attempts are allowed before the user is locked out, and how long the user must wait before the lockout is reset.
About this task
Caution
This procedure requires the Web service to be restarted, which causes all current user sessions to be lost. To avoid interrupting user sessions, perform this procedure during a scheduled maintenance period only.
By default, after five consecutive failed login attempts, a user must wait thirty minutes (1800 seconds) before attempting another login. During this period, all Web administration interface login attempts by the user are refused, including those using the correct password.
This behavior is controlled by the lockout_retries parameter and the lockout_seconds service parameter. To review their current values, use the system service-parameter-list command.
You can change the duration of the lockout using the following CLI command:
~(keystone_admin)]$ system service-parameter-modify identity security_compliance lockout_seconds=<duration>
where <duration> is the time in seconds.
You can change the number of allowed retries before a lockout is imposed using the following CLI command:
~(keystone_admin)]$ system service-parameter-modify identity security_compliance lockout_retries=<attempts>
where <attempts> is the number of allowed retries.
For the changes to take effect, you must apply them:
~(keystone_admin)]$ system service-parameter-apply identity
Allow about 30 seconds after applying the changes for the Web service to restart.
Access StarlingX CLI locally from SSH/Local Console Session¶
You can access the system via a local CLI from the active controller node’s local console or by SSH-ing to the OAM floating IP Address.
It is highly recommended that only ‘sysadmin’ and a small number of admin level user accounts be allowed to SSH to the system.
For sysadmin Account¶
Acquire Keystone Admin credentials by running the following command:
$ source /etc/platform/openrc
[sysadmin@controller-0 ~(keystone_admin)]$
# ssh sysadmin@<oamFloatingIpAddress>
You can now access all StarlingX CLI commands.
system commands
StarlingX system and host management commands are executed with the system command.
For example:
~(keystone_admin)]$ system host-list
+----+--------------+-------------+----------------+-------------+--------------+
| id | hostname | personality | administrative | operational | availability |
+----+--------------+-------------+----------------+-------------+--------------+
| 1 | controller-0 | controller | unlocked | enabled | available |
+----+--------------+-------------+----------------+-------------+--------------+
Use system help for a full list of system subcommands.
fm commands
StarlingX fault management commands are executed with the fm command.
For example:
~(keystone_admin)]$ fm alarm-list
+-------+---------------+---------------------+----------+---------------+
| Alarm | Reason Text | Entity ID | Severity | Time Stamp |
| ID | | | | |
+-------+---------------+---------------------+----------+---------------+
| 750. | Application | k8s_application= | major | 2019-08-08T20 |
| 002 | Apply Failure | platform-integ-apps | | :17:58.223926 |
| | | | | |
+-------+---------------+---------------------+----------+---------------+
Use fm help for a full list of fm subcommands.
For General Keystone Account¶
Use local_starlingxrc to setup StarlingX environment variables
and to setup your keystone user’s authentication credentials.
$ source local_starlingxrc
Enter the password to be used with Keystone user joefulladmin:
Created file /home/joefulladmin/joefulladmin-openrc
Test keystone commands (admin and non-admin).
# Making changes to the system requires 'admin' role
$ system modify -l Ottawa
+----------------------+--------------------------------------+
| Property | Value |
+----------------------+--------------------------------------+
| contact | None |
| created_at | 2024-07-12T10:52:40.609006+00:00 |
| description | None |
| https_enabled | True |
| latitude | None |
| location | Ottawa |
| longitude | None |
...
# Any member of 'admin' project can display system parameters
$ system host-if-list controller-0
+--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
| uuid | name | class | type | vlan id | ports | uses i/f | used by i/f | attributes |
+--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
| 287eca5a-8721-4422-b73a-bf24805eac4c | enp0s3 | platform | ethernet | None | ['enp0s3'] | [] | [] | MTU=1500 |
| 325c32b9-fe40-4900-a0ff-59062190ce80 | lo | platform | virtual | None | [] | [] | [] | MTU=1500 |
+--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
CLI Confirmation Support¶
A user confirmation request can optionally be used to safeguard critical operations performed via the CLI. When the user CLI Confirmation capability is enabled, CLI users are prompted to explicitly confirm any potentially critical or destructive CLI command, before proceeding with the execution of the CLI command.
This interactive safeguard helps prevent unintentional or irreversible changes made to the system.
The user CLI Confirmation capability is disabled by default and you must explicitly enable it. When this feature is enabled, a CLI user when executing a potentially critical of destructive CLI command will see a confirmation request message such as the following:
~(keystone_admin)$ system ca-certificate-install cert-file
WARNING: This is a high-risk operation that may cause a service interruption or remove critical resources
Do you want to continue? (yes/No):
This prompt has a timeout of 10 seconds before timing out and not executing the CLI command. Therefore, you must provide the input within this time limit to proceed with the operation.
You can also skip the confirmation message using the --yes parameter as
shown below:
~(keystone_admin)$ system ca-certificate-install cert-file --yes
For the list of CLI commands that will ask for confirmation when the CLI Confirmation capability is enabled, see CLI Confirmation Support Commands.
Enable CLI Confirmation¶
Procedure
You can enable the CLI Confirmation capability, for all the local CLI users (users SSH’d or logged into the local console of the active controller) by using one of the following methods:
Before installation, specify the
cli_confirmationsservice parameter toenabledin the deployment configuration file.serviceParameters: - service: platform section: client paramname:cli_confirmations paramvalue: ``enabled``After installation, modify the
cli_confirmationsservice parameter using the following commands:~(keystone_admin)$ system service-parameter-modify platform client cli_confirmations=enabled ~(keystone_admin)$ system service-parameter-apply platform ~(keystone_admin)$ source /etc/profile.d/cli_env.sh
Disable CLI Confirmation¶
To disable CLI Confirmation capability, run the following commands:
~(keystone_admin)$ system service-parameter-modify platform client cli_confirmations=disabled
~(keystone_admin)$ system service-parameter-apply platform
~(keystone_admin)$ source /etc/profile.d/cli_env.sh
Access StarlingX CLIs and GUI Remotely¶
For details on how to setup and use remote access to StarlingX CLIs and GUI, see Remote Access.
Access StarlingX REST APIs¶
The REST APIs provide programmatic access to the StarlingX.
The StarlingX Platform related public REST API Endpoints can be listed by running the following command:
$ openstack endpoint list | grep public
Use these URLs as the prefix for the URL target of StarlingX Platform services REST API messages documented here:
Starlingx – https://docs.starlingx.io/api-ref/index.html
