On Fri, Feb 21, 2014 at 10:24:24AM +0100, Tomas Sedovic wrote: > On 20/02/14 16:24, Imre Farkas wrote: > > On 02/20/2014 03:57 PM, Tomas Sedovic wrote: > >> On 20/02/14 15:41, Radomir Dopieralski wrote: > >>> On 20/02/14 15:00, Tomas Sedovic wrote: > >>> > >>>> Are we even sure we need to store the passwords in the first place? All > >>>> this encryption talk seems very premature to me. > >>> > >>> How are you going to redeploy without them? > >>> > >> > >> What do you mean by redeploy? > >> > >> 1. Deploy a brand new overcloud, overwriting the old one > >> 2. Updating the services in the existing overcloud (i.e. image updates) > >> 3. Adding new machines to the existing overcloud > >> 4. Autoscaling > >> 5. Something else > >> 6. All of the above > >> > >> I'd guess each of these have different password workflow requirements. > > > > I am not sure if all these use cases have different password > > requirement. If you check devtest, no matter whether you are creating or > > just updating your overcloud, all the parameters have to be provided for > > the heat template: > > https://github.com/openstack/tripleo-incubator/blob/master/scripts/devtest_overcloud.sh#L125 > > > > > > I would rather not require the user to enter 5/10/15 different passwords > > every time Tuskar updates the stack. I think it's much better to > > autogenerate the passwords for the first time, provide an option to > > override them, then save and encrypt them in Tuskar. So +1 for designing > > a proper system for storing the passwords. > > Well if that is the case and we can't change the templates/heat to > change that, the secrets should be put in Keystone or at least go > through Keystone. Or use Barbican or whatever. > > We shouldn't be implementing crypto in Tuskar.
+1 > > > > > Imre > > > > _______________________________________________ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Petr Blaho, pbl...@redhat.com Software Engineer _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
