Open Stack

Sweet thx all :-)

This is great and a step forward…

https://blueprints.launchpad.net/openstack-common/+spec/pw-keyrings

Now just to get it into those config files to use something similar (no passwords in those pweeease…)

-Josh

From: Bhuvaneswaran A <bhuvan at apache.org<mailto:bhuvan at apache.org>>
Date: Wednesday, August 22, 2012 4:15 PM
To: Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>>
Cc: openstack <openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>>
Subject: Re: [Openstack] Keyring support in openstack



On Mon, Jul 30, 2012 at 5:48 PM, Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>> wrote:
On 07/30/2012 06:00 PM, Doug Hellmann wrote:


On Mon, Jul 30, 2012 at 5:30 PM, Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>> wrote:
On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:
On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:
The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean the password is
saved
in cleartext? Is the file protected in some way besides filesystem
permissions?
As mentioned in wiki page, the password is stored in base64 format.
Which means it's stored in cleartext.  That is Not Good(tm) :)
Can Keyring be used to store a token instead?  That would A)  be better than password and B)  avoid a Keystone hit.

Don't tokens expire?


Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry without going across the wire.

Adam, can you please file a ticket to use keyring to store tokens for keystone? I'll work on it.
--
Regards,
Bhuvaneswaran A
www.livecipher.com<http://www.livecipher.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120822/063e4568/attachment.html>