[Openstack] password in clear text

Adam Young ayoung at redhat.com
Wed Mar 23 20:35:26 UTC 2016 

On 03/23/2016 11:46 AM, Tim Bell wrote:
> We use Kerberos and X.509 in Keystone V3 for the end users.
>
> It works very nicely (although the python client-* CLIs often do not 
> support it so you have to use the openstack OSC CLI)

I'm personally in favor of moving toward a Federated approach using 
Kerberos, LDAP, mod_lookup_identity, and sssd.

http://adam.younglogic.com/2015/03/key-fed-lookup-redux/


Probably the biggest benefit is that you then have the same setup for 
your Keystone server as you would do for all of the applications running 
in the cloud.

It also means I don't have to troubleshoot nasty LDAP Keystone configs 
for people. Nasty Hobbitses.


>
> Tim
>
> From: Mike Smith <mismith at overstock.com <mailto:mismith at overstock.com>>
> Date: Wednesday 23 March 2016 at 16:28
> To: openstack <openstack at lists.openstack.org 
> <mailto:openstack at lists.openstack.org>>
> Subject: Re: [Openstack] password in clear text
>
>     Piggybacking on this question, I also would like to know if there
>     is a solution to prevent storing passwords in the various service
>     config files.   We store our configs in subversion, and I hate
>     that I have those passwords in there.
>
>     Mike Smith
>     Lead Cloud Systems Architect
>     Overstock.com <http://Overstock.com>
>
>
>
>>     On Mar 23, 2016, at 9:04 AM, Jagga Soorma <jagga13 at gmail.com
>>     <mailto:jagga13 at gmail.com>> wrote:
>>
>>     Hi Guys,
>>
>>     Currently when using the openstack api I have to save my password
>>     in clear text in the OS_PASSWORD environment variable.  Is there
>>     a more secure way to use the openstack api without having to
>>     either store this password in clear text or enter the password
>>     manually every time I run a openstack command?  Is there some way
>>     that I can use a token id?  I have tried but can't seem to get it
>>     to work and not sure what else is possible.
>>
>>     Thanks in advance for your help with this.
>>     _______________________________________________
>>     Mailing list:
>>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>     Post to     : openstack at lists.openstack.org
>>     <mailto:openstack at lists.openstack.org>
>>     Unsubscribe :
>>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160323/49ce7563/attachment.html>

More information about the Openstack mailing list