The current username/password authentication mechanism is not the best security
practice. However, assuming there is a point to point secure channel, the risk
of password exposure can be contained. In addition to that, one can always
choose external authentication plugged with Keystone e.g., your own middleware
in the pipeline or Kerberos ( not fully functional yet). Some hints are
provided in keystone guideline:
http://docs.openstack.org/developer/keystone/external-auth.html
On Wednesday, February 5, 2014 12:25 PM, "Clark, Robert Graham"
<[email protected]> wrote:
On Wed Feb 5 08:34:34 2014, Rob Crittenden wrote:
> Emanuel Marzini wrote:
>> Hi,
>> I have a software that uses Openstack. When it do an action for the
>> first time, it need to get a token from Openstack. How it's possible
>> make a POST request like:
>>
>> '{"auth":{"passwordCredentials":{"username": "joeuser", "password":
>> "secrete"}}}' -H "Content-type: application/json"
>> http://localhost:35357/v2.0/tokens
>>
>> without pass the password in plaintext???
>>
>> It's possible use PKI, ssl and so on?
>
> The documentation on this is scant but you can start with something like
> http://docs.openstack.org/developer/keystone/configuration.html
>
> You'll need to create new endpoints for the SSL provider and set
> OS_SERVICE_ENDPOINT to the secure version.
>
> If you want to disable/remove the unsecure ports things get rather
> interesting as you'll need to configure all the other services to use
> this as well. I don't know how well or if that actually works everywhere.
>
> rob
>
You might find some of the guidance from the OpenStack Security Guide
useful too:
http://docs.openstack.org/security-guide/content/ch024_authentication.html
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
