[openstack-dev] default keyring use to False?

Adam Young ayoung at redhat.com
Mon Dec 10 16:29:25 UTC 2012


Collaborate and listen.

Think very hard about which is more secure, caching or not-caching?  You 
might be surprised.

With the no-cache option, you end up caching the User Id and Password, 
either in an environment variable, your scripts, or something

with the caching option, you cache the tokens

This will cut down on the load on Keystone
This will also be more secure.

Lets find a way to fix the caching.  Lets not give in to the "security 
enhancements are annoying, lets disable them" reaction.

On 12/07/2012 02:07 PM, Dan Prince wrote:
> Okay. Seems like there is some consensus on this so here are some of the relevant reviews:
> For novaclient (maintains backwards compat for the old --no-cache args):
>   https://review.openstack.org/#/c/17692/ (Adds --os-cache to replace old --no-cache.)
> For keystoneclient it just switches things over to use --os-cache. This seems reasonable since keystoneclient was just updated with these changes this week and we haven't tagged a release yet (that I know if):
>   https://review.openstack.org/#/c/17634/ (Rename --no_cache to --os_cache.)
>   https://review.openstack.org/#/c/17630/ (Make use_keyring False by default.)
> Dan
> ----- Original Message -----
>> From: "Joshua Harlow" <harlowja at yahoo-inc.com>
>> To: "OpenStack Development Mailing List" <openstack-dev at lists.openstack.org>, "Dan Prince" <dprince at redhat.com>
>> Sent: Friday, December 7, 2012 1:37:14 PM
>> Subject: Re: [openstack-dev] default keyring use to False?
>> Please do :-)
>> +1
>> On 12/6/12 7:36 PM, "Dan Prince" <dprince at redhat.com> wrote:
>>> What are thoughts on disabling keyring use in our clients by
>>> default?
>>> Some background:
>>> If you have python-keyring installed and try to use the most recent
>>> versions of novaclient and keystoneclient you'll end up with a
>>> prompt
>>> like this:
>>>   Please set a password for your new keyring
>>>   Warning: Password input may be echoed.
>>>   Password (again):
>>> To work around this many of us set --no-cache or even export an
>>> environment variable OS_NO_CACHE. It seems like most people are
>>> doing
>>> this by default... so why not cut our losses here and change our
>>> keyring
>>> settings to be disabled by default.
>>> Now that this is included in keystoneclient this also effects other
>>> clients (which make use of it for auth) as well. I hit this today
>>> with
>>> glanceclient... and it would presumably effect swiftclient as well.
>>> To avoid the double negative perhaps changing the option to be
>>> called
>>> --os-cache (which would be defaulting to False) would make sense as
>>> well?
>>> We could call the environment variable OS_CACHE as well.
>>> Dan
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list