[openstack-dev] [keystone] Upcoming Deadlines

Lance Bragstad lbragstad at gmail.com
Tue Dec 12 16:41:30 UTC 2017



On 12/11/2017 07:08 PM, Adam Heczko wrote:
> Thanks Lance for a comprehensive summary.
> However I'm bit puzzled with application credentials spec,
> specifically with the sentence 'This model, while convenient for keystone,
> increases the risk of account compromise by requiring the distribution
> of unencrypted passwords.'
> My personal preference for securing OS cloud credentials is to
> leverage X.509/PKI rather than username and password.
> X.509 authN plugin is available since some time ago [4] and I'd really
> appreciate if Keystone team could explain how app credentials will
> interact with existing (e.g. x.509) authN plugin in federated
> scenario. How role assignment derived from federation mapping (and
> x.509 certificate) is going to interact with application credentials?
> This is important for me since I received a lot of complains about
> clear text passwords and typically my recommendation is to mitigate it
> with said x.509 approach.
As far as the application credentials implementation goes, there will
still be an ID and a secret that needs to be used when authenticating.
So if you have requirements around plaintext passwords in service
configuration files, you might still have that concern with application
credentials since the secret is essentially the password.

We have had a few sessions with oslo [0] about the storage of passwords
in configuration files that might be relevant to you though (if I'm
understanding correctly).

[0]
http://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html

>
> [4] https://review.openstack.org/#/c/283905/16
> [5] https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html
>
> On Mon, Dec 11, 2017 at 11:37 PM, Lance Bragstad <lbragstad at gmail.com
> <mailto:lbragstad at gmail.com>> wrote:
>
>     Sending out a gentle reminder that feature proposal freeze will be
>     next
>     week. It looks like all possible features are in flight based on the
>     current state of the specs repository. The only exception is the
>     unified
>     limit specification, which was rebased and passing today [0].
>
>     Thanks!
>
>     [0] https://review.openstack.org/#/c/455709/
>     <https://review.openstack.org/#/c/455709/>
>
>     On 11/20/2017 11:25 AM, Lance Bragstad wrote:
>     > Sending out a reminder that we have a couple deadlines approaching.
>     >
>     > First, *specification* *freeze* is *two weeks away*. Here is a short
>     > list of things we've committed to but need the specification to merge:
>     >
>     > - Unified Limits API [0]
>     > - Application Credentials [1]
>     > - System Scope [2]
>     > - Scope Types [3]
>     >
>     > These reviews should take priority.
>     >
>     > Second, *feature* *proposal* *freeze* is *four weeks away*. Remember
>     > that this deadline falls earlier than last release due to the holiday
>     > season. So far, only application credentials and unified limits are
>     > missing proposed implementations. Again, these are just proposals.
>     > Feature freeze is January 26th.
>     >
>     > If you have spare cycles and want to tag-team one of these efforts
>     > with an existing owner, please don't hesitate to reach out. Let me
>     > know if there is anything I've missed. Thanks!
>     >
>     >
>     > [0] https://review.openstack.org/#/c/455709/
>     <https://review.openstack.org/#/c/455709/>
>     > [1] https://review.openstack.org/#/c/512505/
>     <https://review.openstack.org/#/c/512505/>
>     > [2] https://review.openstack.org/#/c/464763/
>     <https://review.openstack.org/#/c/464763/>
>     > [3] https://review.openstack.org/#/c/500207/
>     <https://review.openstack.org/#/c/500207/>
>
>
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
>
> -- 
> Adam Heczko
> Security Engineer @ Mirantis Inc.
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171212/91fef181/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171212/91fef181/attachment.sig>


More information about the OpenStack-dev mailing list