<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <br>
    <br>
    <div class="moz-cite-prefix">On 12/11/2017 07:08 PM, Adam Heczko
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAJciqMynvk1NN5geMf8z+A6fSX=jaQ0=w=Y2opigGTyZ8Cf+8g@mail.gmail.com">
      <div dir="ltr">Thanks Lance for a comprehensive summary.
        <div>However I'm bit puzzled with application credentials spec,
          specifically with the sentence 'This model, while convenient
          for keystone,</div>
        <div>increases the risk of account compromise by requiring the
          distribution of unencrypted passwords.'</div>
        <div>My personal preference for securing OS cloud credentials is
          to leverage X.509/PKI rather than username and password.</div>
        <div>X.509 authN plugin is available since some time ago [4] and
          I'd really appreciate if Keystone team could explain how app
          credentials will interact with existing (e.g. x.509) authN
          plugin in federated scenario. How role assignment derived from
          federation mapping (and x.509¬†certificate) is going to
          interact with application credentials?</div>
        <div>
          <div>This is important for me since I received a lot of
            complains about clear text passwords and typically my
            recommendation is to mitigate it with said x.509 approach.</div>
        </div>
      </div>
    </blockquote>
    As far as the application credentials implementation goes, there
    will still be an ID and a secret that needs to be used when
    authenticating. So if you have requirements around plaintext
    passwords in service configuration files, you might still have that
    concern with application credentials since the secret is essentially
    the password.<br>
    <br>
    We have had a few sessions with oslo [0] about the storage of
    passwords in configuration files that might be relevant to you
    though (if I'm understanding correctly).<br>
    <br>
    [0]
<a class="moz-txt-link-freetext" href="http://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html">http://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html</a><br>
    <br>
    <blockquote type="cite"
cite="mid:CAJciqMynvk1NN5geMf8z+A6fSX=jaQ0=w=Y2opigGTyZ8Cf+8g@mail.gmail.com">
      <div dir="ltr">
        <div><br>
        </div>
        <div>[4] <a href="https://review.openstack.org/#/c/283905/16"
            moz-do-not-send="true">https://review.openstack.org/#/c/283905/16</a><br>
        </div>
        <div>[5]¬†<a
href="https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html"
            moz-do-not-send="true">https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html</a></div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Dec 11, 2017 at 11:37 PM, Lance
          Bragstad <span dir="ltr"><<a
              href="mailto:lbragstad@gmail.com" target="_blank"
              moz-do-not-send="true">lbragstad@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Sending
            out a gentle reminder that feature proposal freeze will be
            next<br>
            week. It looks like all possible features are in flight
            based on the<br>
            current state of the specs repository. The only exception is
            the unified<br>
            limit specification, which was rebased and passing today
            [0].<br>
            <br>
            Thanks!<br>
            <br>
            [0] <a href="https://review.openstack.org/#/c/455709/"
              rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/455709/</a><br>
            <span class=""><br>
              On 11/20/2017 11:25 AM, Lance Bragstad wrote:<br>
              > Sending out a reminder that we have a couple
              deadlines approaching.<br>
              ><br>
            </span>> First, *specification* *freeze* is *two weeks
            away*. Here is a short<br>
            <span class="">> list of things we've committed to but
              need the specification to merge:<br>
              ><br>
              > - Unified Limits API [0]<br>
              > - Application Credentials [1]<br>
              > - System Scope [2]<br>
              > - Scope Types [3]<br>
              ><br>
              > These reviews should take priority.<br>
              ><br>
            </span>> Second, *feature* *proposal* *freeze* is *four
            weeks away*. Remember<br>
            <span class="">> that this deadline falls earlier than
              last release due to the holiday<br>
              > season. So far, only application credentials and
              unified limits are<br>
              > missing proposed implementations. Again, these are
              just proposals.<br>
              > Feature freeze is January 26th.<br>
              ><br>
              > If you have spare cycles and want to tag-team one of
              these efforts<br>
              > with an existing owner, please don't hesitate to
              reach out. Let me<br>
              > know if there is anything I've missed. Thanks!<br>
              ><br>
              ><br>
              > [0] <a
                href="https://review.openstack.org/#/c/455709/"
                rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/455709/</a><br>
              > [1] <a
                href="https://review.openstack.org/#/c/512505/"
                rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/512505/</a><br>
              > [2] <a
                href="https://review.openstack.org/#/c/464763/"
                rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/464763/</a><br>
              > [3] <a
                href="https://review.openstack.org/#/c/500207/"
                rel="noreferrer" target="_blank" moz-do-not-send="true">https://review.openstack.org/#<wbr>/c/500207/</a><br>
              <br>
              <br>
            </span>______________________________<wbr>______________________________<wbr>______________<br>
            OpenStack Development Mailing List (not for usage questions)<br>
            Unsubscribe: <a
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
              rel="noreferrer" target="_blank" moz-do-not-send="true">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
            <a
              href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
              rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature" data-smartmail="gmail_signature">
          <div dir="ltr">
            <div
              style="color:rgb(136,136,136);font-size:12.8000001907349px">Adam
              Heczko</div>
            <div
              style="color:rgb(136,136,136);font-size:12.8000001907349px">Security
              Engineer @ Mirantis Inc.</div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>