Re: [Openstack] password in clear text

Wed, 23 Mar 2016 13:45:21 -0700 

On 03/23/2016 11:46 AM, Tim Bell wrote:

We use Kerberos and X.509 in Keystone V3 for the end users.
It works very nicely (although the python client-* CLIs often do not support it so you have to use the openstack OSC CLI)
I'm personally in favor of moving toward a Federated approach using Kerberos, LDAP, mod_lookup_identity, and sssd. 

http://adam.younglogic.com/2015/03/key-fed-lookup-redux/
Probably the biggest benefit is that you then have the same setup for your Keystone server as you would do for all of the applications running in the cloud.
It also means I don't have to troubleshoot nasty LDAP Keystone configs for people. Nasty Hobbitses. 




Tim

From: Mike Smith <mism...@overstock.com <mailto:mism...@overstock.com>>
Date: Wednesday 23 March 2016 at 16:28
To: openstack <openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>> 
Subject: Re: [Openstack] password in clear text

    Piggybacking on this question, I also would like to know if there
    is a solution to prevent storing passwords in the various service
    config files.   We store our configs in subversion, and I hate
    that I have those passwords in there.

    Mike Smith
    Lead Cloud Systems Architect
    Overstock.com <http://Overstock.com>




    On Mar 23, 2016, at 9:04 AM, Jagga Soorma <jagg...@gmail.com
    <mailto:jagg...@gmail.com>> wrote:

    Hi Guys,

    Currently when using the openstack api I have to save my password
    in clear text in the OS_PASSWORD environment variable.  Is there
    a more secure way to use the openstack api without having to
    either store this password in clear text or enter the password
    manually every time I run a openstack command?  Is there some way
    that I can use a token id?  I have tried but can't seem to get it
    to work and not sure what else is possible.

    Thanks in advance for your help with this.
    _______________________________________________
    Mailing list:
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
    Post to     : openstack@lists.openstack.org
    <mailto:openstack@lists.openstack.org>
    Unsubscribe :
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to