diff options
| author | Julia Kreger <juliaashleykreger@gmail.com> | 2020-09-01 16:10:34 -0700 |
|---|---|---|
| committer | Julia Kreger <juliaashleykreger@gmail.com> | 2020-09-04 17:09:39 +0000 |
| commit | 5b272b0c46f5a10c50fc7325cc653fd577908ca0 (patch) | |
| tree | 7d8e3f3bb37c8610bcccad988e0215bb203adbd8 /doc | |
| parent | 30d9cb47e62b62d570e1792515e16abf1ac3cd56 (diff) | |
| download | ironic-5b272b0c46f5a10c50fc7325cc653fd577908ca0.tar.gz | |
Remove token-less agent support
Removes the deprecated support for token-less agents which
better secures the ironic-python-agent<->ironic interactions
to help ensure heartbeat operations are coming from the same
node which originally checked-in with the Ironic and that
commands coming to an agent are originating from the same
ironic deployment which the agent checked-in with to begin
with.
Story: 2007025
Task: 40814
Change-Id: Id7a3f402285c654bc4665dcd45bd0730128bf9b0
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/admin/agent-token.rst | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/doc/source/admin/agent-token.rst b/doc/source/admin/agent-token.rst index 4c2fd0e34..85d6b8354 100644 --- a/doc/source/admin/agent-token.rst +++ b/doc/source/admin/agent-token.rst @@ -29,7 +29,8 @@ These tokens are provided in one of two ways to the running agent. 2. A one-time generated token that are provided upon the first "lookup" of the node. -In both cases, the tokens are a randomly generated length of 128 characters. +In both cases, the tokens are a randomly generated using the Python +``secrets`` library. As of mid-2020, the default length is 43 characters. Once the token has been provided, the token cannot be retrieved or accessed. It remains available to the conductors, and is stored in memory of the @@ -43,9 +44,10 @@ It remains available to the conductors, and is stored in memory of the With the token is available in memory in the agent, the token is embedded with ``heartbeat`` operations to the ironic API endpoint. This enables the API to authenticate the heartbeat request, and refuse "heartbeat" requests from the -``ironic-python-agent``. With the ``Ussuri`` release, the configuration option -``[DEFAULT]require_agent_token`` can be set ``True`` to explicitly require -token use. +``ironic-python-agent``. As of the Victoria release, use of Agent Token is +required for all agents and the previously available setting to force this +functionality to be manditory, ``[DEFAULT]require_agent_token`` no longer has +any effect. .. warning:: If the Bare Metal Service is updated, and the version of |