[openstack-dev] default keyring use to False?

Jay Pipes jaypipes at gmail.com
Tue Dec 11 17:02:27 UTC 2012


On 12/10/2012 10:47 PM, Adam Young wrote:
> The real question is how do we make Keyring work for completely 
> automated deploys, the kind of thing that we would use a Kerberos Keytab 
> for in Enterprise systems?  If we need to keep a cleartext password 
> around anyway, we are kinda hosed.
> 
> It seems like the right solution would be to use either Kerberos or X509 
> Authentication to get the initial token.  Ideally, Keyring would be set 
> up to store the token in one of the exisitng stores (like an NSS 
> Database) so we get a secure cache.

Why not just rely on the deployment method's secure storage, instead of
trying to think this through ahead of time? I think things like Chef's
encrypted data bags would be the ideal solution for things like this?

Thoughts?
-jay



More information about the OpenStack-dev mailing list