[openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API
Petr Blaho
pblaho at redhat.com
Mon Feb 24 08:18:29 UTC 2014
On Fri, Feb 21, 2014 at 10:24:24AM +0100, Tomas Sedovic wrote:
> On 20/02/14 16:24, Imre Farkas wrote:
> > On 02/20/2014 03:57 PM, Tomas Sedovic wrote:
> >> On 20/02/14 15:41, Radomir Dopieralski wrote:
> >>> On 20/02/14 15:00, Tomas Sedovic wrote:
> >>>
> >>>> Are we even sure we need to store the passwords in the first place? All
> >>>> this encryption talk seems very premature to me.
> >>>
> >>> How are you going to redeploy without them?
> >>>
> >>
> >> What do you mean by redeploy?
> >>
> >> 1. Deploy a brand new overcloud, overwriting the old one
> >> 2. Updating the services in the existing overcloud (i.e. image updates)
> >> 3. Adding new machines to the existing overcloud
> >> 4. Autoscaling
> >> 5. Something else
> >> 6. All of the above
> >>
> >> I'd guess each of these have different password workflow requirements.
> >
> > I am not sure if all these use cases have different password
> > requirement. If you check devtest, no matter whether you are creating or
> > just updating your overcloud, all the parameters have to be provided for
> > the heat template:
> > https://github.com/openstack/tripleo-incubator/blob/master/scripts/devtest_overcloud.sh#L125
> >
> >
> > I would rather not require the user to enter 5/10/15 different passwords
> > every time Tuskar updates the stack. I think it's much better to
> > autogenerate the passwords for the first time, provide an option to
> > override them, then save and encrypt them in Tuskar. So +1 for designing
> > a proper system for storing the passwords.
>
> Well if that is the case and we can't change the templates/heat to
> change that, the secrets should be put in Keystone or at least go
> through Keystone. Or use Barbican or whatever.
>
> We shouldn't be implementing crypto in Tuskar.
+1
>
> >
> > Imre
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Petr Blaho, pblaho at redhat.com
Software Engineer
More information about the OpenStack-dev
mailing list