<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/23/2016 11:46 AM, Tim Bell wrote:<br>
</div>
<blockquote cite="mid:1A95171E-74FD-4F7F-BC61-6CAA62F2F77F@cern.ch"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div>
<div>We use Kerberos and X.509 in Keystone V3 for the end
users.</div>
<div><br>
</div>
<div>It works very nicely (although the python client-* CLIs
often do not support it so you have to use the openstack OSC
CLI)</div>
</div>
</div>
</blockquote>
<br>
I'm personally in favor of moving toward a Federated approach using
Kerberos, LDAP, mod_lookup_identity, and sssd.<br>
<br>
<a class="moz-txt-link-freetext" href="http://adam.younglogic.com/2015/03/key-fed-lookup-redux/">http://adam.younglogic.com/2015/03/key-fed-lookup-redux/</a><br>
<br>
<br>
Probably the biggest benefit is that you then have the same setup
for your Keystone server as you would do for all of the applications
running in the cloud.<br>
<br>
It also means I don't have to troubleshoot nasty LDAP Keystone
configs for people. Nasty Hobbitses. <br>
<br>
<br>
<blockquote cite="mid:1A95171E-74FD-4F7F-BC61-6CAA62F2F77F@cern.ch"
type="cite">
<div>
<div>
<div><br>
</div>
<div>Tim</div>
<div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Mike Smith <<a
moz-do-not-send="true" href="mailto:mismith@overstock.com"><a class="moz-txt-link-abbreviated" href="mailto:mismith@overstock.com">mismith@overstock.com</a></a>><br>
<span style="font-weight:bold">Date: </span>Wednesday 23
March 2016 at 16:28<br>
<span style="font-weight:bold">To: </span>openstack <<a
moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org"><a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a></a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Openstack] password in clear text<br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"
style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0
0 0 5;">
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
Piggybacking on this question, I also would like to know
if there is a solution to prevent storing passwords in the
various service config files. We store our configs in
subversion, and I hate that I have those passwords in
there. <br class="">
<div apple-content-edited="true" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows:
auto; word-spacing: 0px; -webkit-text-stroke-width:
0px; word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
<br class="">
Mike Smith<br class="">
Lead Cloud Systems Architect</div>
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
<a moz-do-not-send="true"
href="http://Overstock.com" class="">Overstock.com</a><br
class="">
<br class="">
<br class="">
</div>
</div>
</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Mar 23, 2016, at 9:04 AM, Jagga
Soorma <<a moz-do-not-send="true"
href="mailto:jagga13@gmail.com" class="">jagga13@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">Hi Guys,
<div class=""><font class=""
face="arial,helvetica,sans-serif"><br class="">
</font></div>
<div class=""><font class=""
face="arial,helvetica,sans-serif">Currently
when using the openstack api I have to save my
password in clear text in the OS_PASSWORD
environment variable. Is there a more secure
way to use the openstack api without having to
either store this password in clear text or
enter the password manually every time I run a
openstack command? Is there some way that I
can use a token id? I have tried but can't
seem to get it to work and not sure what else
is possible. </font></div>
<div class=""><font class=""
face="arial,helvetica,sans-serif"><br class="">
</font></div>
<div class=""><font class=""
face="arial,helvetica,sans-serif">Thanks in
advance for your help with this.</font></div>
</div>
_______________________________________________<br
class="">
Mailing list: <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
class="">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br
class="">
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org"
class="">openstack@lists.openstack.org</a><br
class="">
Unsubscribe : <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
class="">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</body>
</html>