
<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Wed, Aug 29, 2018 at 1:16 PM Waines, Greg <<a href="mailto:Greg.Waines@windriver.com">Greg.Waines@windriver.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">

<div class="m_329163095983434052WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt">Makes sense.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt">So what is the recommended upstream approach for securely storing user passwords in keystone ?</span></p></div></div></blockquote><div><br></div><div>Keystone will hash passwords before persisting them in their own table. Encrypted passwords are never stored.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_329163095983434052WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Is that what is being described here ? 

<a href="https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html" target="_blank">

https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html</a></span></p></div></div></blockquote><div><br></div><div>This is a separate mechanism for storing secrets, not necessarily passwords (although I agree the term credentials automatically makes people assume passwords). This is used if consuming keystone's native MFA implementation. For example, storing a shared secret between the user and keystone that is provided as a additional authentication method along with a username and password combination.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_329163095983434052WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt">

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Greg.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>

<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">Juan Antonio Osorio Robles <<a href="mailto:jaosorior@redhat.com" target="_blank">jaosorior@redhat.com</a>><br>

<b>Reply-To: </b>"<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>

<b>Date: </b>Wednesday, August 29, 2018 at 2:00 PM<br>

<b>To: </b>"<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>

<b>Subject: </b>Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-family:"Times New Roman""><u></u> <u></u></span></p>

</div>

<p>This is not the case. Barbican requires users and systems that use it to use keystone for authentication. So keystone can't use Barbican for this. Chicken and egg problem.<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal">On 08/29/2018 08:08 PM, Waines, Greg wrote:<u></u><u></u></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<p class="MsoNormal"><span style="font-size:11.0pt">My understanding is that Keystone can be configured to use Barbican to securely store user passwords.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Is this true ?</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt">If yes, is this the standard / recommended / upstream way to securely store Keystone user passwords ?</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt">If yes, I can’t find any descriptions of this is configured ?</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Can someone provide some pointers ?</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt">Greg.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-family:"Times New Roman""><br>

<br>

<br>

<u></u><u></u></span></p>

<pre>__________________________________________________________________________<u></u><u></u></pre>

<pre>OpenStack Development Mailing List (not for usage questions)<u></u><u></u></pre>

<pre>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><u></u><u></u></pre>

<pre><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></pre>

</blockquote>

<p class="MsoNormal"><span style="font-family:"Times New Roman""><br>

<br>

<u></u><u></u></span></p>

</div>

</div>


__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

</blockquote></div></div>