On Wed, Aug 29, 2018 at 1:16 PM Waines, Greg <greg.wai...@windriver.com> wrote:
> Makes sense. > > > > So what is the recommended upstream approach for securely storing user > passwords in keystone ? > Keystone will hash passwords before persisting them in their own table. Encrypted passwords are never stored. > > > Is that what is being described here ? > https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html > This is a separate mechanism for storing secrets, not necessarily passwords (although I agree the term credentials automatically makes people assume passwords). This is used if consuming keystone's native MFA implementation. For example, storing a shared secret between the user and keystone that is provided as a additional authentication method along with a username and password combination. > > > > > Greg. > > > > > > *From: *Juan Antonio Osorio Robles <jaosor...@redhat.com> > *Reply-To: *"openstack-dev@lists.openstack.org" < > openstack-dev@lists.openstack.org> > *Date: *Wednesday, August 29, 2018 at 2:00 PM > *To: *"openstack-dev@lists.openstack.org" < > openstack-dev@lists.openstack.org> > *Subject: *Re: [openstack-dev] [keystone] [barbican] Keystone's use of > Barbican ? > > > > This is not the case. Barbican requires users and systems that use it to > use keystone for authentication. So keystone can't use Barbican for this. > Chicken and egg problem. > > > > On 08/29/2018 08:08 PM, Waines, Greg wrote: > > My understanding is that Keystone can be configured to use Barbican to > securely store user passwords. > > Is this true ? > > > > If yes, is this the standard / recommended / upstream way to securely > store Keystone user passwords ? > > > > If yes, I can’t find any descriptions of this is configured ? > > Can someone provide some pointers ? > > > > Greg. > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
