[openstack-dev] default keyring use to False?

Joshua Harlow harlowja at yahoo-inc.com
Tue Dec 11 00:38:39 UTC 2012 

Ice is back with my brand new invention
Something grabs a hold of me tightly
flows like a harpoon daily and nightly
Will it ever stop? Yo -- I don't know
Turn off the lights and I'll glow
To the extreme I rock a mic like a vandal
Light up a stage and wax a chump like a candle.

Lol. 


On 12/10/12 8:29 AM, "Adam Young" <ayoung at redhat.com> wrote:

>Stop.
>
>Collaborate and listen.
>
>Think very hard about which is more secure, caching or not-caching?  You
>might be surprised.
>
>
>With the no-cache option, you end up caching the User Id and Password,
>either in an environment variable, your scripts, or something
>
>with the caching option, you cache the tokens
>
>This will cut down on the load on Keystone
>This will also be more secure.
>
>Lets find a way to fix the caching.  Lets not give in to the "security
>enhancements are annoying, lets disable them" reaction.
>
>
>On 12/07/2012 02:07 PM, Dan Prince wrote:
>> Okay. Seems like there is some consensus on this so here are some of
>>the relevant reviews:
>>
>> For novaclient (maintains backwards compat for the old --no-cache args):
>>
>>   https://review.openstack.org/#/c/17692/ (Adds --os-cache to replace
>>old --no-cache.)
>>
>> For keystoneclient it just switches things over to use --os-cache. This
>>seems reasonable since keystoneclient was just updated with these
>>changes this week and we haven't tagged a release yet (that I know if):
>>
>>   https://review.openstack.org/#/c/17634/ (Rename --no_cache to
>>--os_cache.)
>>   https://review.openstack.org/#/c/17630/ (Make use_keyring False by
>>default.)
>>
>> Dan
>>
>> ----- Original Message -----
>>> From: "Joshua Harlow" <harlowja at yahoo-inc.com>
>>> To: "OpenStack Development Mailing List"
>>><openstack-dev at lists.openstack.org>, "Dan Prince" <dprince at redhat.com>
>>> Sent: Friday, December 7, 2012 1:37:14 PM
>>> Subject: Re: [openstack-dev] default keyring use to False?
>>>
>>> Please do :-)
>>>
>>> +1
>>>
>>> On 12/6/12 7:36 PM, "Dan Prince" <dprince at redhat.com> wrote:
>>>
>>>> What are thoughts on disabling keyring use in our clients by
>>>> default?
>>>>
>>>> Some background:
>>>>
>>>> If you have python-keyring installed and try to use the most recent
>>>> versions of novaclient and keystoneclient you'll end up with a
>>>> prompt
>>>> like this:
>>>>
>>>>   Please set a password for your new keyring
>>>>   Warning: Password input may be echoed.
>>>>   Password (again):
>>>>
>>>> To work around this many of us set --no-cache or even export an
>>>> environment variable OS_NO_CACHE. It seems like most people are
>>>> doing
>>>> this by default... so why not cut our losses here and change our
>>>> keyring
>>>> settings to be disabled by default.
>>>>
>>>> Now that this is included in keystoneclient this also effects other
>>>> clients (which make use of it for auth) as well. I hit this today
>>>> with
>>>> glanceclient... and it would presumably effect swiftclient as well.
>>>>
>>>> To avoid the double negative perhaps changing the option to be
>>>> called
>>>> --os-cache (which would be defaulting to False) would make sense as
>>>> well?
>>>> We could call the environment variable OS_CACHE as well.
>>>>
>>>> Dan
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list