[Openstack-operators] Security around enterprise credentials and OpenStack API

Adam Young ayoung at redhat.com
Mon Aug 31 15:56:08 UTC 2015

On 03/31/2015 08:06 PM, Mathieu Gagné wrote:
> Hi,
> Lets say I wish to use an existing enterprise LDAP service to manage my
> OpenStack users so I only have one place to manage users.
> How would you manage authentication and credentials from a security
> point of view? Do you tell your users to use their enterprise
> credentials or do you use an other method/credentials?
> The reason is that (usually) enterprise credentials also give access to
> a whole lot of systems other than OpenStack itself. And it goes without
> saying that I'm not fond of the idea of storing my password in plain
> text to be used by some scripts I created.
> What's your opinion/suggestion? Do you guys have a second credential
> system solely used for OpenStack?
Better options are to use Kerberos or X509  Client cert driven off your 
Directory account.

SAML for as SSO to Keystone is also viable.

YOu can do S4U2 Proxy to talk to Horizon and get a token for the user 

More information about the OpenStack-operators mailing list