Open Stack

On 05/04/2015 10:37 PM, Rich Megginson wrote:
>> I'm starting to think about some sort of credentials vault. You store
>> credentials in it and you tell your resource to use that specific
>> credentials. You then no longer need to pass around 6-7
>> variables/parameters.
>
> I'm sure Adam Young has some ideas about this . .
poof, and the devil appears.

OK,  the Keystone setup info is three distinct things:

1.  You you are (username and password)
2.  Where you start the process (auth_url)
3. Scope.  (project)


Both 1 and 3 are further namespace scoped by domain;

Passwords are Bad. BADBADBAD.  In Liberty, we have a work in progress to 
do tokenless operations using X509 based certificates.

https://review.openstack.org/#/c/156870/

Ideally we would do something like this.

For those of you that hate X509 (I know you are out there seething) we 
don't have a naked SSH Key based way to authenticate to Keystone.  Sorry.

We also Have Kerberos.

I don't think I would want to put all of these in a vault.  I could, 
however, see standardizing a config file setup for the clients where 
OS_AUTH_URL is defined at /etc/openrc.conf and the other values at 
~/.openrc.  One nice thing to add there would be the auth plugin used, 
and that would allow for Kerberos, X509, Password, or whatever.  the cli 
could then take --conf=  as an override.



We might need to work on the file names.