Hi All, If I use the openstacksdk to connect to an openstack cloud, I have to use clouds.yaml file for specifying the cloud configuration which includes username and password as well. Since its a plain text file, how can I mask the password mentioned in clouds.yaml file for security purposes? Thanks Kumar
On 07/11/23 04:58, Gk Gk wrote:
Hi All,
If I use the openstacksdk to connect to an openstack cloud, I have to use clouds.yaml file for specifying the cloud configuration which includes username and password as well. Since its a plain text file, how can I mask the password mentioned in clouds.yaml file for security purposes?
I don't think there is any way to mask the password in clouds.yaml but the clouds-public.yaml sounds like it might work for you: https://docs.openstack.org/python-openstackclient/latest/configuration/index... -melwitt
On Tue, 11 Jul 2023 at 22:02, Gk Gk <ygk.kmr@gmail.com> wrote:
Hi All,
If I use the openstacksdk to connect to an openstack cloud, I have to use clouds.yaml file for specifying the cloud configuration which includes username and password as well. Since its a plain text file, how can I mask the password mentioned in clouds.yaml file for security purposes?
You can also create and use a token for authentication. -=-=-=-=-=-=- $ openstack \ --os-auth-url "$OS_AUTH_URL" \ --os-user-domain-name "<<REDACTED>>" \ --os-region-name "regionOne" \ --os-interface "public" \ --os-identity-api-version 3 \ --os-project-name "$OS_PROJECT_NAME" \ --os-username "$OS_USERNAME" \ --os-project-domain-id "$OS_PROJECT_DOMAIN_ID" \ --os-password "$OS_PASSWORD" \ token issue -f value -c id $ cat ~/.config/openstack/clouds.yaml --- clouds: openstack: auth_type: "token" auth: token: "<<REDACTED>>" auth_url: "<<REDACTED>>" project_id: "<<REDACTED>>" etc etc etc -=-=-=-=-=-=- You will need to generate the token regularly, but it does avoid having the plain text password on disk. Yours Tony.
There is a support for splitting configuration into clouds.yaml and secret.yaml (read the SDK documentation for details on that). This way you can keep clouds.yaml without username and password to be able to share it freely. Artem On Wed, Jul 12, 2023, 05:12 Tony Breeds <tony@bakeyournoodle.com> wrote:
On Tue, 11 Jul 2023 at 22:02, Gk Gk <ygk.kmr@gmail.com> wrote:
Hi All,
If I use the openstacksdk to connect to an openstack cloud, I have to
use clouds.yaml file for
specifying the cloud configuration which includes username and password as well. Since its a plain text file, how can I mask the password mentioned in clouds.yaml file for security purposes?
You can also create and use a token for authentication. -=-=-=-=-=-=- $ openstack \ --os-auth-url "$OS_AUTH_URL" \ --os-user-domain-name "<<REDACTED>>" \ --os-region-name "regionOne" \ --os-interface "public" \ --os-identity-api-version 3 \ --os-project-name "$OS_PROJECT_NAME" \ --os-username "$OS_USERNAME" \ --os-project-domain-id "$OS_PROJECT_DOMAIN_ID" \ --os-password "$OS_PASSWORD" \ token issue -f value -c id $ cat ~/.config/openstack/clouds.yaml --- clouds: openstack: auth_type: "token" auth: token: "<<REDACTED>>" auth_url: "<<REDACTED>>" project_id: "<<REDACTED>>" etc etc etc -=-=-=-=-=-=-
You will need to generate the token regularly, but it does avoid having the plain text password on disk.
Yours Tony.
Is the file secret.yaml encrypted or plain text ? On Wed, Jul 12, 2023 at 1:29 PM Artem Goncharov <artem.goncharov@gmail.com> wrote:
There is a support for splitting configuration into clouds.yaml and secret.yaml (read the SDK documentation for details on that). This way you can keep clouds.yaml without username and password to be able to share it freely.
Artem
On Wed, Jul 12, 2023, 05:12 Tony Breeds <tony@bakeyournoodle.com> wrote:
On Tue, 11 Jul 2023 at 22:02, Gk Gk <ygk.kmr@gmail.com> wrote:
Hi All,
If I use the openstacksdk to connect to an openstack cloud, I have to
use clouds.yaml file for
specifying the cloud configuration which includes username and password as well. Since its a plain text file, how can I mask the password mentioned in clouds.yaml file for security purposes?
You can also create and use a token for authentication. -=-=-=-=-=-=- $ openstack \ --os-auth-url "$OS_AUTH_URL" \ --os-user-domain-name "<<REDACTED>>" \ --os-region-name "regionOne" \ --os-interface "public" \ --os-identity-api-version 3 \ --os-project-name "$OS_PROJECT_NAME" \ --os-username "$OS_USERNAME" \ --os-project-domain-id "$OS_PROJECT_DOMAIN_ID" \ --os-password "$OS_PASSWORD" \ token issue -f value -c id $ cat ~/.config/openstack/clouds.yaml --- clouds: openstack: auth_type: "token" auth: token: "<<REDACTED>>" auth_url: "<<REDACTED>>" project_id: "<<REDACTED>>" etc etc etc -=-=-=-=-=-=-
You will need to generate the token regularly, but it does avoid having the plain text password on disk.
Yours Tony.
On 2023-07-12 13:55:06 +0530 (+0530), Gk Gk wrote:
Is the file secret.yaml encrypted or plain text ? [...]
It's plain text, but you could for example LUKS mount an encrypted file on a loopback and store it inside that. The bigger question is, if you encrypt the file with your password in it, then where do you safely store the decryption key? Without knowing more about your use case, it sounds like you're back to the same problem you had with the password. If you're only using the software interactively anyway then just don't put the password in your configuration, enter it when prompted instead. You can also supply it as an environment variable (OS_PASSWORD) or command line argument (--os-password) if you don't want to be prompted but also don't want to put it in your configuration. -- Jeremy Stanley
participants (5)
-
Artem Goncharov
-
Gk Gk
-
Jeremy Stanley
-
melanie witt
-
Tony Breeds