Open Stack

On 20/02/14 16:24, Imre Farkas wrote:
> On 02/20/2014 03:57 PM, Tomas Sedovic wrote:
>> On 20/02/14 15:41, Radomir Dopieralski wrote:
>>> On 20/02/14 15:00, Tomas Sedovic wrote:
>>>
>>>> Are we even sure we need to store the passwords in the first place? All
>>>> this encryption talk seems very premature to me.
>>>
>>> How are you going to redeploy without them?
>>>
>>
>> What do you mean by redeploy?
>>
>> 1. Deploy a brand new overcloud, overwriting the old one
>> 2. Updating the services in the existing overcloud (i.e. image updates)
>> 3. Adding new machines to the existing overcloud
>> 4. Autoscaling
>> 5. Something else
>> 6. All of the above
>>
>> I'd guess each of these have different password workflow requirements.
> 
> I am not sure if all these use cases have different password
> requirement. If you check devtest, no matter whether you are creating or
> just updating your overcloud, all the parameters have to be provided for
> the heat template:
> https://github.com/openstack/tripleo-incubator/blob/master/scripts/devtest_overcloud.sh#L125
> 
> 
> I would rather not require the user to enter 5/10/15 different passwords
> every time Tuskar updates the stack. I think it's much better to
> autogenerate the passwords for the first time, provide an option to
> override them, then save and encrypt them in Tuskar. So +1 for designing
> a proper system for storing the passwords.

Well if that is the case and we can't change the templates/heat to
change that, the secrets should be put in Keystone or at least go
through Keystone. Or use Barbican or whatever.

We shouldn't be implementing crypto in Tuskar.

> 
> Imre
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>