[openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API
Ladislav Smola
lsmola at redhat.com
Wed Feb 19 17:10:57 UTC 2014
Hello,
I would like to have your opinion about how to deal with passwords in
Tuskar-API
The background is, that tuskarAPI is storing heat template parameters in
its database, it's a
preparation for more complex workflows, when we will need to store the
data before the actual
heat stack-create.
So right now, the state is unacceptable, we are storing sensitive
data(all the heat passwords and keys)
in a raw form in the TuskarAPI database. That is wrong right?
So is anybody aware of the reasons, why we would need to store the
passwords? Storing them
for a small amount of time (rather in a session) should be fine, so we
can use them for latter init of the stack.
Do we need to store them for heat stack-update? Cause heat throws them away.
If yes, this bug should change to encrypting of the all sensitive data,
right? Cause it might be just me,
but dealing with sensitive data like this the 8th deadly sin.
The second thing is, if users will update their passwords, info in the
TuskarAPI will be obsolete and
can't be used anyway.
There is a bug filled for it:
https://bugs.launchpad.net/tuskar/+bug/1282066
Thanks for the feedback, seems like the bug is not as straightforward as
I thought.
Kind Regards,
Ladislav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140219/aec04669/attachment.html>
More information about the OpenStack-dev
mailing list