[Openstack-operators] Security around enterprise credentials and OpenStack API

Matt Fischer matt at mattfischer.com
Wed Apr 1 00:35:08 UTC 2015


Mathieu,

We LDAP (AD) with a fallback to MySQL. This allows us to store service
accounts (like nova) and "team accounts" for use in Jenkins/scripts etc in
MySQL. We only do Identity via LDAP and we have a forked copy of this
driver (https://github.com/SUSE-Cloud/keystone-hybrid-backend) to do this.
We don't have any permissions to write into LDAP or move people into
groups, so we keep a copy of users locally for purposes of user-list
operations. The only interaction between OpenStack and LDAP for us is when
that driver tries a bind.



On Tue, Mar 31, 2015 at 6:06 PM, Mathieu Gagné <mgagne at iweb.com> wrote:

> Hi,
>
> Lets say I wish to use an existing enterprise LDAP service to manage my
> OpenStack users so I only have one place to manage users.
>
> How would you manage authentication and credentials from a security
> point of view? Do you tell your users to use their enterprise
> credentials or do you use an other method/credentials?
>
> The reason is that (usually) enterprise credentials also give access to
> a whole lot of systems other than OpenStack itself. And it goes without
> saying that I'm not fond of the idea of storing my password in plain
> text to be used by some scripts I created.
>
> What's your opinion/suggestion? Do you guys have a second credential
> system solely used for OpenStack?
>
> --
> Mathieu
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150331/47a5de37/attachment.html>


More information about the OpenStack-operators mailing list