[openstack-dev] [keystone] Upcoming Deadlines
Adam Heczko
aheczko at mirantis.com
Tue Dec 12 01:08:54 UTC 2017
Thanks Lance for a comprehensive summary.
However I'm bit puzzled with application credentials spec, specifically
with the sentence 'This model, while convenient for keystone,
increases the risk of account compromise by requiring the distribution of
unencrypted passwords.'
My personal preference for securing OS cloud credentials is to leverage
X.509/PKI rather than username and password.
X.509 authN plugin is available since some time ago [4] and I'd really
appreciate if Keystone team could explain how app credentials will interact
with existing (e.g. x.509) authN plugin in federated scenario. How role
assignment derived from federation mapping (and x.509 certificate) is going
to interact with application credentials?
This is important for me since I received a lot of complains about clear
text passwords and typically my recommendation is to mitigate it with said
x.509 approach.
[4] https://review.openstack.org/#/c/283905/16
[5]
https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html
On Mon, Dec 11, 2017 at 11:37 PM, Lance Bragstad <lbragstad at gmail.com>
wrote:
> Sending out a gentle reminder that feature proposal freeze will be next
> week. It looks like all possible features are in flight based on the
> current state of the specs repository. The only exception is the unified
> limit specification, which was rebased and passing today [0].
>
> Thanks!
>
> [0] https://review.openstack.org/#/c/455709/
>
> On 11/20/2017 11:25 AM, Lance Bragstad wrote:
> > Sending out a reminder that we have a couple deadlines approaching.
> >
> > First, *specification* *freeze* is *two weeks away*. Here is a short
> > list of things we've committed to but need the specification to merge:
> >
> > - Unified Limits API [0]
> > - Application Credentials [1]
> > - System Scope [2]
> > - Scope Types [3]
> >
> > These reviews should take priority.
> >
> > Second, *feature* *proposal* *freeze* is *four weeks away*. Remember
> > that this deadline falls earlier than last release due to the holiday
> > season. So far, only application credentials and unified limits are
> > missing proposed implementations. Again, these are just proposals.
> > Feature freeze is January 26th.
> >
> > If you have spare cycles and want to tag-team one of these efforts
> > with an existing owner, please don't hesitate to reach out. Let me
> > know if there is anything I've missed. Thanks!
> >
> >
> > [0] https://review.openstack.org/#/c/455709/
> > [1] https://review.openstack.org/#/c/512505/
> > [2] https://review.openstack.org/#/c/464763/
> > [3] https://review.openstack.org/#/c/500207/
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171212/b2290f10/attachment.html>
More information about the OpenStack-dev
mailing list