<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div>The current username/password authentication mechanism is not the best security practice. However, assuming there is a point to point secure channel, the risk of password exposure can be contained. In addition to that, one can always choose external authentication plugged with Keystone e.g., your own middleware in the pipeline or Kerberos ( not fully functional yet). Some hints are provided in keystone guideline: </div><div>http://docs.openstack.org/developer/keystone/external-auth.html<br></div><div class="yahoo_quoted" style="display: block;"> <br> <br> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, February 5, 2014 12:25 PM, "Clark, Robert Graham" <robert.clark@hp.com> wrote:<br> </font> </div> <div class="y_msg_container">On Wed Feb 5 08:34:34 2014, Rob Crittenden wrote:<br>> Emanuel Marzini wrote:<br>>> Hi,<br>>> I have a software that uses Openstack. When it do an action for the<br>>> first time, it need to get a token from Openstack. How it's possible<br>>> make a POST request like:<br>>><br>>> '{"auth":{"passwordCredentials":{"username": "joeuser", "password":<br>>> "secrete"}}}' -H "Content-type: application/json"<br>>> <a href="http://localhost:35357/v2.0/tokens" target="_blank">http://localhost:35357/v2.0/tokens</a><br>>><br>>> without pass the password in plaintext???<br>>><br>>> It's possible use PKI, ssl and so on?<br>><br>> The documentation on this is scant but you
can start with something like<br>> <a href="http://docs.openstack.org/developer/keystone/configuration.html" target="_blank">http://docs.openstack.org/developer/keystone/configuration.html</a><br>><br>> You'll need to create new endpoints for the SSL provider and set<br>> OS_SERVICE_ENDPOINT to the secure version.<br>><br>> If you want to disable/remove the unsecure ports things get rather<br>> interesting as you'll need to configure all the other services to use<br>> this as well. I don't know how well or if that actually works everywhere.<br>><br>> rob<br>><br><br>You might find some of the guidance from the OpenStack Security Guide <br>useful too: <br><a href="http://docs.openstack.org/security-guide/content/ch024_authentication.html" target="_blank">http://docs.openstack.org/security-guide/content/ch024_authentication.html</a><br><br><br><br>_______________________________________________<br>Mailing list: <a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>Post to : <a ymailto="mailto:openstack@lists.openstack.org" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br><br><br></div> </div> </div> </div> </div></body></html>