<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>Sweet thx all :-)</div><div><br></div><div>This is great and a step forward…</div><div><br></div><div><a href="https://blueprints.launchpad.net/openstack-common/+spec/pw-keyrings">https://blueprints.launchpad.net/openstack-common/+spec/pw-keyrings</a></div><div><br></div><div>Now just to get it into those config files to use something similar (no passwords in those pweeease…)</div><div><br></div><div>-Josh</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Bhuvaneswaran A <<a href="mailto:bhuvan@apache.org">bhuvan@apache.org</a>><br><span style="font-weight:bold">Date: </span> Wednesday, August 22, 2012 4:15 PM<br><span style="font-weight:bold">To: </span> Adam Young <<a href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>><br><span style="font-weight:bold">Cc: </span> openstack <<a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>><br><span style="font-weight:bold">Subject: </span> Re: [Openstack] Keyring support in openstack<br></div><div><br></div><div><div><br><br><div class="gmail_quote">On Mon, Jul 30, 2012 at 5:48 PM, Adam Young <span dir="ltr">
<<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"><div>On 07/30/2012 06:00 PM, Doug Hellmann wrote:<br></div><blockquote type="cite"><br><br><div class="gmail_quote">On Mon, Jul 30, 2012 at 5:30 PM, Adam Young <span dir="ltr">
<<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The wiki mentions the password being saved using<br>
keyring.backend.UncryptedFileKeyring. Does that mean the password is<br></blockquote>
saved<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
in cleartext? Is the file protected in some way besides filesystem<br>
permissions?<br></blockquote>
As mentioned in wiki page, the password is stored in base64 format.<br></blockquote>
Which means it's stored in cleartext. That is Not Good(tm) :)<br></blockquote></div>
Can Keyring be used to store a token instead? That would A) be better than password and B) avoid a Keystone hit.</blockquote><div><br></div><div>Don't tokens expire?</div></div></blockquote><br><br></div></div>
Yes, they do, but that is no reason not to put them in the keyring,<br><br>With the PKI tokens, you will be able to query a token's expiry without going across the wire.<br></div></blockquote><div><br>
Adam, can you please file a ticket to use keyring to store tokens for keystone? I'll work on it.<br></div></div>
-- <br>
Regards,<br>
Bhuvaneswaran A<br><a href="http://www.livecipher.com">www.livecipher.com</a><br></div></div></span></body></html>