Hi, Right now Ironic is being responsible for storing the credentials for the IPMI and SSH drivers (and potentially other drivers in the future), I wonder if we should delegate this task to Keystone. The Keystone V3 API now has a /credentials endpoint which would allow us to specify arbitrary types (not only ec2 anymore) and use it as a credential store[1]. That would avoid further fragmentation of credentials being stored in different places in OpenStack, and make the management of the credentials easier (Think about a situation where many nodes share the same IPMI username/password and we need to update it, if this is stored in Keystone it only needs to be updated there once cause nodes will only hold a reference to it) It also was pointed to me that setting a hard dependency on Keystone V3 might significantly raises the bar for integration with existing clouds*. So perhaps we should make it optional? In the same way we can specify a username/password or key_filename for the ssh driver we could have a reference to a credential in Keystone V3? What you guys think about the idea? What are the cloud operators/sysadmins view on that? * There's also some ongoing thoughts about using v3 for other things in Ironic (e.g signed url's) but that's kinda out of the topic. [1] https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#create-credential-post-credentials Ironic bp (discussion): https://blueprints.launchpad.net/ironic/+spec/credentials-keystone-v3 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140325/5d113951/attachment.html>