[Openstack] Plaintext password in getCredential token
Emanuel Marzini
jemay86 at gmail.com
Wed Feb 5 15:42:20 UTC 2014
Ok, thanks to all for the replies.
Ok I think I will use ssl. Following this link
http://docs.openstack.org/admin-guide-cloud/content//ch-identity-mgmt-config.html
I understand how i prepare the environment for the authentication.
So, How I can request a token using ssl??
Thak you!
Emanuel
2014-02-05 Shohel Ahmed <shohel_csdu at yahoo.com>:
> The current username/password authentication mechanism is not the best
> security practice. However, assuming there is a point to point secure
> channel, the risk of password exposure can be contained. In addition to
> that, one can always choose external authentication plugged with Keystone
> e.g., your own middleware in the pipeline or Kerberos ( not fully functional
> yet). Some hints are provided in keystone guideline:
> http://docs.openstack.org/developer/keystone/external-auth.html
>
>
> On Wednesday, February 5, 2014 12:25 PM, "Clark, Robert Graham"
> <robert.clark at hp.com> wrote:
> On Wed Feb 5 08:34:34 2014, Rob Crittenden wrote:
>> Emanuel Marzini wrote:
>>> Hi,
>>> I have a software that uses Openstack. When it do an action for the
>>> first time, it need to get a token from Openstack. How it's possible
>>> make a POST request like:
>>>
>>> '{"auth":{"passwordCredentials":{"username": "joeuser", "password":
>>> "secrete"}}}' -H "Content-type: application/json"
>>> http://localhost:35357/v2.0/tokens
>>>
>>> without pass the password in plaintext???
>>>
>>> It's possible use PKI, ssl and so on?
>>
>> The documentation on this is scant but you can start with something like
>> http://docs.openstack.org/developer/keystone/configuration.html
>>
>> You'll need to create new endpoints for the SSL provider and set
>> OS_SERVICE_ENDPOINT to the secure version.
>>
>> If you want to disable/remove the unsecure ports things get rather
>> interesting as you'll need to configure all the other services to use
>> this as well. I don't know how well or if that actually works everywhere.
>>
>> rob
>>
>
> You might find some of the guidance from the OpenStack Security Guide
> useful too:
> http://docs.openstack.org/security-guide/content/ch024_authentication.html
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
More information about the Openstack
mailing list