On Wed, Aug 29, 2018 at 1:16 PM Waines, Greg <[email protected]> wrote:
> Makes sense. > > > > So what is the recommended upstream approach for securely storing user > passwords in keystone ? > Keystone will hash passwords before persisting them in their own table. Encrypted passwords are never stored. > > > Is that what is being described here ? > https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html > This is a separate mechanism for storing secrets, not necessarily passwords (although I agree the term credentials automatically makes people assume passwords). This is used if consuming keystone's native MFA implementation. For example, storing a shared secret between the user and keystone that is provided as a additional authentication method along with a username and password combination. > > > > > Greg. > > > > > > *From: *Juan Antonio Osorio Robles <[email protected]> > *Reply-To: *"[email protected]" < > [email protected]> > *Date: *Wednesday, August 29, 2018 at 2:00 PM > *To: *"[email protected]" < > [email protected]> > *Subject: *Re: [openstack-dev] [keystone] [barbican] Keystone's use of > Barbican ? > > > > This is not the case. Barbican requires users and systems that use it to > use keystone for authentication. So keystone can't use Barbican for this. > Chicken and egg problem. > > > > On 08/29/2018 08:08 PM, Waines, Greg wrote: > > My understanding is that Keystone can be configured to use Barbican to > securely store user passwords. > > Is this true ? > > > > If yes, is this the standard / recommended / upstream way to securely > store Keystone user passwords ? > > > > If yes, I can’t find any descriptions of this is configured ? > > Can someone provide some pointers ? > > > > Greg. > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: [email protected]?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
