[openstack-dev] [Ironic][Keystone] Move drivers credentials to Keystone

Lucas Alvares Gomes lucasagomes at gmail.com
Tue Mar 25 12:23:02 UTC 2014


Right now Ironic is being responsible for storing the credentials for the
IPMI and SSH drivers (and potentially other drivers in the future), I
wonder if we should delegate this task to Keystone. The Keystone V3 API now
has a /credentials endpoint which would allow us to specify arbitrary types
(not only ec2 anymore) and use it as a credential store[1].

That would avoid further fragmentation of credentials being stored in
different places in OpenStack, and make the management of the credentials
easier (Think about a situation where many nodes share the same IPMI
username/password and we need to update it, if this is stored in Keystone
it only needs to be updated there once cause nodes will only hold a
reference to it)

It also was pointed to me that setting a hard dependency on Keystone V3
might significantly raises the bar for integration with existing clouds*.
So perhaps we should make it optional? In the same way we can specify a
username/password or key_filename for the ssh driver we could have a
reference to a credential in Keystone V3?

What you guys think about the idea? What are the cloud operators/sysadmins
view on that?

* There's also some ongoing thoughts about using v3 for other things in
Ironic (e.g signed url's) but that's kinda out of the topic.

Ironic bp (discussion):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140325/5d113951/attachment.html>

More information about the OpenStack-dev mailing list