[openstack-dev] [TripleO] FreeIPA integration
Adam Young
ayoung at redhat.com
Wed Apr 6 02:02:58 UTC 2016
On 04/05/2016 11:42 AM, Fox, Kevin M wrote:
> Yeah, and they just deprecated vendor data plugins too, which
> eliminates my other workaround. :/
>
> We need to really discuss this problem at the summit and get a viable
> path forward. Its just getting worse. :/
>
> Thanks,
> Kevin
> ------------------------------------------------------------------------
> *From:* Juan Antonio Osorio [jaosorior at gmail.com]
> *Sent:* Tuesday, April 05, 2016 5:16 AM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* Re: [openstack-dev] [TripleO] FreeIPA integration
>
>
>
> On Tue, Apr 5, 2016 at 2:45 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov
> <mailto:Kevin.Fox at pnnl.gov>> wrote:
>
> This sounds suspiciously like, "how do you get a secret to the
> instance to get a secret from the secret store" issue.... :)
>
> Yeah, sounds pretty familiar. We were using the nova hooks mechanism
> for this means, but it was deprecated recently. So bummer :/
>
>
> Nova instance user spec again?
>
> Thanks,
> Kevin
>
Yep, and we need a solution. I think the right solution is a keypair
generated on the instance, public key posted by the instace to the
hypervisor and stored with the instance data in the database. I wrote
that to the mailing list earlier today.
A basic rule of a private key is that it never leaves the machine on
which it is generated. The rest falls out from there.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160405/6371fc95/attachment.html>
More information about the OpenStack-dev
mailing list