[openstack-dev] default keyring use to False?
Jay Pipes
jaypipes at gmail.com
Tue Dec 11 17:02:27 UTC 2012
On 12/10/2012 10:47 PM, Adam Young wrote:
> The real question is how do we make Keyring work for completely
> automated deploys, the kind of thing that we would use a Kerberos Keytab
> for in Enterprise systems? If we need to keep a cleartext password
> around anyway, we are kinda hosed.
>
> It seems like the right solution would be to use either Kerberos or X509
> Authentication to get the initial token. Ideally, Keyring would be set
> up to store the token in one of the exisitng stores (like an NSS
> Database) so we get a secure cache.
Why not just rely on the deployment method's secure storage, instead of
trying to think this through ahead of time? I think things like Chef's
encrypted data bags would be the ideal solution for things like this?
Thoughts?
-jay
More information about the OpenStack-dev
mailing list