On 05/04/2015 10:37 PM, Rich Megginson wrote:
I'm starting to think about some sort of credentials vault. You store
credentials in it and you tell your resource to use that specific
credentials. You then no longer need to pass around 6-7
variables/parameters.
I'm sure Adam Young has some ideas about this . .
poof, and the devil appears.
OK, the Keystone setup info is three distinct things:
1. You you are (username and password)
2. Where you start the process (auth_url)
3. Scope. (project)
Both 1 and 3 are further namespace scoped by domain;
Passwords are Bad. BADBADBAD. In Liberty, we have a work in progress to
do tokenless operations using X509 based certificates.
https://review.openstack.org/#/c/156870/
Ideally we would do something like this.
For those of you that hate X509 (I know you are out there seething) we
don't have a naked SSH Key based way to authenticate to Keystone. Sorry.
We also Have Kerberos.
I don't think I would want to put all of these in a vault. I could,
however, see standardizing a config file setup for the clients where
OS_AUTH_URL is defined at /etc/openrc.conf and the other values at
~/.openrc. One nice thing to add there would be the auth plugin used,
and that would allow for Kerberos, X509, Password, or whatever. the cli
could then take --conf= as an override.
We might need to work on the file names.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
