<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 12/11/2017 07:08 PM, Adam Heczko
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAJciqMynvk1NN5geMf8z+A6fSX=jaQ0=w=Y2opigGTyZ8Cf+8g@mail.gmail.com">
<div dir="ltr">Thanks Lance for a comprehensive summary.
<div>However I'm bit puzzled with application credentials spec,
specifically with the sentence 'This model, while convenient
for keystone,</div>
<div>increases the risk of account compromise by requiring the
distribution of unencrypted passwords.'</div>
<div>My personal preference for securing OS cloud credentials is
to leverage X.509/PKI rather than username and password.</div>
<div>X.509 authN plugin is available since some time ago [4] and
I'd really appreciate if Keystone team could explain how app
credentials will interact with existing (e.g. x.509) authN
plugin in federated scenario. How role assignment derived from
federation mapping (and x.509 certificate) is going to
interact with application credentials?</div>
<div>
<div>This is important for me since I received a lot of
complains about clear text passwords and typically my
recommendation is to mitigate it with said x.509 approach.</div>
</div>
</div>
</blockquote>
As far as the application credentials implementation goes, there
will still be an ID and a secret that needs to be used when
authenticating. So if you have requirements around plaintext
passwords in service configuration files, you might still have that
concern with application credentials since the secret is essentially
the password.<br>
<br>
We have had a few sessions with oslo [0] about the storage of
passwords in configuration files that might be relevant to you
though (if I'm understanding correctly).<br>
<br>
[0]
<a class="moz-txt-link-freetext" href="http://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html">http://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html</a><br>
<br>
<blockquote type="cite"
cite="mid:CAJciqMynvk1NN5geMf8z+A6fSX=jaQ0=w=Y2opigGTyZ8Cf+8g@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
<div>[4] <a href="https://review.openstack.org/#/c/283905/16"
moz-do-not-send="true">https://review.openstack.org/#/c/283905/16</a><br>
</div>
<div>[5] <a
href="https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html"
moz-do-not-send="true">https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html</a></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 11, 2017 at 11:37 PM, Lance
Bragstad <span dir="ltr"><<a
href="mailto:lbragstad@gmail.com" target="_blank"
moz-do-not-send="true">lbragstad@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Sending
out a gentle reminder that feature proposal freeze will be
next<br>
week. It looks like all possible features are in flight
based on the<br>
current state of the specs repository. The only exception is
the unified<br>
limit specification, which was rebased and passing today
[0].<br>
<br>
Thanks!<br>
<br>
[0] <a href="https://review.openstack.org/#/c/455709/"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/455709/</a><br>
<span class=""><br>
On 11/20/2017 11:25 AM, Lance Bragstad wrote:<br>
> Sending out a reminder that we have a couple
deadlines approaching.<br>
><br>
</span>> First, *specification* *freeze* is *two weeks
away*. Here is a short<br>
<span class="">> list of things we've committed to but
need the specification to merge:<br>
><br>
> - Unified Limits API [0]<br>
> - Application Credentials [1]<br>
> - System Scope [2]<br>
> - Scope Types [3]<br>
><br>
> These reviews should take priority.<br>
><br>
</span>> Second, *feature* *proposal* *freeze* is *four
weeks away*. Remember<br>
<span class="">> that this deadline falls earlier than
last release due to the holiday<br>
> season. So far, only application credentials and
unified limits are<br>
> missing proposed implementations. Again, these are
just proposals.<br>
> Feature freeze is January 26th.<br>
><br>
> If you have spare cycles and want to tag-team one of
these efforts<br>
> with an existing owner, please don't hesitate to
reach out. Let me<br>
> know if there is anything I've missed. Thanks!<br>
><br>
><br>
> [0] <a
href="https://review.openstack.org/#/c/455709/"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/455709/</a><br>
> [1] <a
href="https://review.openstack.org/#/c/512505/"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/512505/</a><br>
> [2] <a
href="https://review.openstack.org/#/c/464763/"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/464763/</a><br>
> [3] <a
href="https://review.openstack.org/#/c/500207/"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/500207/</a><br>
<br>
<br>
</span>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank" moz-do-not-send="true">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div
style="color:rgb(136,136,136);font-size:12.8000001907349px">Adam
Heczko</div>
<div
style="color:rgb(136,136,136);font-size:12.8000001907349px">Security
Engineer @ Mirantis Inc.</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>