Open Stack

Thanks for your response Tim.  I do have our openstack environment
integrated into AD.  I basically am trying to see if there is a alternative
to storing the password in clear text in a environment variable.  With
kerberos or AD are you saying that we would just get a ticket by
authenticating once and then use that ticket somehow for openstack commands?

Thanks.

On Wed, Mar 23, 2016 at 9:17 AM, Tim Bell <Tim.Bell at cern.ch> wrote:

>
> The difficulty with the environment variables is that the administrator of
> the box you are logged into can read the environment using ps auxwwww.
>
> There has been some work done to support storing all the variables in a
> file (which would be an environment variable) such that the CLIs read from
> the file rather than needing it in the environment. This at least minimises
> the access to the home directory file servers rather than the root admin on
> the box you are using.
>
> Kerberos is very nice, if you have access to an active directory or a
> local kerberos server, it’s worth a look.
>
> Tim
>
>
>
> On 23/03/16 16:40, "CARVER, PAUL" <pc2929 at att.com> wrote:
>
> >Jagga Soorma wrote:
> >
> >>Currently when using the openstack api I have to save my password in
> clear text in
> >>the OS_PASSWORD environment variable.  Is there a more secure way to use
> the
> >>openstack api without having to either store this password in clear text
> or enter the
> >>password manually every time I run a openstack command?  Is there some
> way that
> >>I can use a token id?  I have tried but can't seem to get it to work and
> not sure what
> >>else is possible.
> >
> >If the token will allow you to use services and you store the token in
> clear text then
> >you’ve only managed to rename your password to token without adding any
> security.
> >
> >What you need to think about is what are you willing to type and when are
> you willing
> >to type it. I don’t know if anyone has a polished “official”
> implementation, but a couple
> >of options:
> >
> >1) Configure one of your login scripts to prompt for your OpenStack
> password and
> >    export it rather than putting it directly in a login script.
> >
> >2) Encrypt your home directory and store your "clear text" password in a
> file in your
> >     encrypted home directory
> >
> >3) Put your password in a file on a USB flash drive (in an encrypted file
> if you want
> >     a double layer of security) and create a wrapper script that reads
> you password
> >     from a fixed location on USB drive when you run a command. (keep the
> USB drive
> >     in a physical safe when not in use)
> >
> >
> >_______________________________________________
> >Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >Post to     : openstack at lists.openstack.org
> >Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160323/795840b7/attachment.html>