[Openstack] PKI Issue vs UUID
Shinobu Kinjo
skinjo at redhat.com
Mon Sep 21 02:17:54 UTC 2015
Fernet token sounds like not being persistent, and not having too much information.
Meaning that it sounds like more secure than UUID and PKI.
And performance wise, it also going to be more reasonable than them.
It's because of less processes for users validation. And that deployment doesn't look like difficult.
Everything sounds pretty good.
But there would be problematic activity, key rotation.
And keystone itself still have token file[s], /etc/keystone/fernet-keys/.
It potentially causes huge security issue.
"./doc/source/configuration.rst" implies this.
Is or would there be further workaround of that tokens to deal with any users information securely and safely.
Shinobu
----- Original Message -----
From: "Adam Young" <ayoung at redhat.com>
To: openstack at lists.openstack.org
Sent: Monday, September 21, 2015 12:02:30 AM
Subject: Re: [Openstack] PKI Issue vs UUID
On 09/19/2015 03:52 PM, Remo Mattei wrote:
> Hello all,
>
> I have notice that when I do the RDO installation of Kilo with the UUID and login with the admin account, I can select which project to spin up new instances and also which project to select from the pull down menu. If I do the same installation using packstack and change the keystone from UUID to PKI, I cannot select any of those options.
Stick with UUID. THere are enough issues with PKI that you should not
use them.
Fernet tokens are coming, and will help with horizontal scalability.
>
> Has anyone seen this issue? I notice that there was a bug going on while back but I thought that would have been fixed by now.
>
> Thanks for any tips on how to go by this.
>
> Remo
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list