Provider Service Accounts


#1

Hello All,

I wish to get a better understanding of how people feel to Provider Service Accounts and the use of admin accounts.

When you add a provider to CF, you specify a service account to use. Typically its administrator@internal (RHV) or administrator@vsphere.vmware and so on. The common thing here is the use of an admin account, giving full access CloudForms for that provider.

Some environments prefer to connect using an account such as cloudforms@internal or cloudforms@vsphere.vmware, giving the ability to the provider platform to restrict the rights of the account used by CloudForms for management operations.

Issues can arise across different platforms for a variety of reasons. Because the number of operations and type of operations differ per provider the support of those operations can be affected depending on the service account used and the rights it has to perform management operations on the provider platform.

Therefore, connecting as an admin account over comes these issues, but opens the management platform up to being used incorrectly and causing damage to the provider platform. This is a huge concern to most security persons but in my experience something that can be mitigated against. Such as,

Connecting a CloudForms provider with an admin account does NOT give the users of CloudForms admin access to the platform. It can, but logging in with a standard user in CloudForms does not give you the right to delete a Cluster in VMware.

So, a solution is to allow CloudForms to connect as Admin to the provider platform, but instead protect and secure CloudForms so its able to meet the use cases it was being implemented for whilst not being a danger or extending the attack surface of the provider platform?

This does not mean we do not support restricted service account access, to contrary if you can get a service account configured with exactly the rights required to meet the use cases and not stifle progress and innovation in the management operation space then great, but some providers have limited RBAC implemented, such as OpenStack where it is very difficult to restrict a tenant user to the API set required by a CloudForms provider service account. Other providers like VMware are far more successful in RBAC, and a restricted user can work well there.

Interested in all feedback.