Re: [Openstack] Keyring support in openstack
On Sat, 28 Jul 2012, Bhuvaneswaran A wrote: Team, As per patch https://review.openstack.org/#/c/9497/ we are adding keyring support for openstack client. If password is not specified in command line or environment variable, the user is prompted to enter password. During this time, the password is stored in keyring. During next time, the password is read from keyring, instead of prompt. It is true, if password is not specified in command line or environment variable. This behavior is documented in this wiki page: http://wiki.openstack.org/KeyringSupport I haven' tried this specifically for the openstack client, but when this went into nova, it annoyed me, as I started having to give a password on remote systems every time. For the devstack instances I was working on, I honestly couldn't care less about security, and wanted to not be bothered. For others looking for something similar, here is the 'keyringrc.cfg' file that you need. Put it either in ~/ or in the current working directory (strange). --- keyringrc.cfg --- # This is an example keyringrc.cfg file that allows python-keyring # to use the UncryptedFileKeyring. # See /usr/share/doc/python-keyring/README.gz for more info. # Note, this works, but I see the following significant issues with it: # * python-keyring goes looking for 'keyringrc.cfg' in the current working # directory and user's home directory. Note, specifically it does *not* # look for ~/.keyringrc.cfg (which would be more common) # * no environment variable can affect the path read for ~/keyringrc.cfg # this means you're stuck with one of the following options if you # wanted to somehow maintain that one app (that you do not care about) # use UncryptedFileKeyring while all other apps use a different: #* keep 'HOME' environment variable set when that app is used to # something other than your home. and maintain $HOME/keyringrc.cfg #* keep the current working directory when that app is used to a given # working directory. # I think it'd be much nicer if I could affect this with # 'PYTHON_KEYRING_CFG' # or if the config file had some apt specific stuff. # * UncryptedFileKeyring writes its data to a file named keyring_pass.cfg # in the home directory, and does not pay attention to 'keyring-path' # * UncryptedFileKeyring laughably creates keyring_pass.cfg its password # file with default umask meaning in most cases it is world readable # I've opened bug http://pad.lv/1023433 to track these. [backend] default-keyring=keyring.backend.UncryptedFileKeyring keyring-path=/home/ubuntu/xxx # this is ignored ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On Thu, Aug 23, 2012 at 7:10 AM, Scott Moser smo...@ubuntu.com wrote: . [backend] default-keyring=keyring.backend.UncryptedFileKeyring keyring-path=/home/ubuntu/xxx # this is ignored As you might already know, the keyring.backend.UncryptedFileKeyring will store the password as in base64 format. If you are concerned about security, but wouldn't wish to enter keyring password, you might use openstackclient.common.openstackkeyring backend. As part of this patch, we have written a keyring backend for openstack to store encrypted password in keyring, withouth prompting for keyring password. -- Regards, Bhuvaneswaran A www.livecipher.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On Mon, Jul 30, 2012 at 5:48 PM, Adam Young ayo...@redhat.com wrote: On 07/30/2012 06:00 PM, Doug Hellmann wrote: On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com wrote: On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? As mentioned in wiki page, the password is stored in base64 format. Which means it's stored in cleartext. That is Not Good(tm) :) Can Keyring be used to store a token instead? That would A) be better than password and B) avoid a Keystone hit. Don't tokens expire? Yes, they do, but that is no reason not to put them in the keyring, With the PKI tokens, you will be able to query a token's expiry without going across the wire. Adam, can you please file a ticket to use keyring to store tokens for keystone? I'll work on it. -- Regards, Bhuvaneswaran A www.livecipher.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On Mon, Jul 30, 2012 at 2:30 PM, Doug Hellmann doug.hellm...@dreamhost.comwrote: On Mon, Jul 30, 2012 at 4:51 PM, Bhuvaneswaran A bhu...@apache.orgwrote: On Mon, Jul 30, 2012 at 7:46 AM, David Kranz david.kr...@qrclab.com wrote: I share Doug's concerns but would state some more strongly. IMO, it is simply unacceptable to modify user-visible behavior based on whether some package that happens to be used in an implementation is installed or not. This package is installed on Ubuntu by default and may be used by other applications that have nothing to do with OpenStack at all. Yes, as python-keyring is installed in almost all systems, the behaviour is unchanged. If we really want to go down this road there should be an environment variable that can be set to turn off this behavior for applications that do not want it. David, good point. I'll revise the patch to not use keyring, if environment variable USE_KEYRING=0. If environment variable is not set or if it is USE_KEYRING=1, then keyring is used to store password. How about OS_USE_KEYRING so it is clearer that the variable is related to openstack? Just to close the loop ... Doug, thank you for all the review comments. The patch to store encrypted password in keyring, for openstackclient, is merged today: I''ll extend this feature to other clients that prompt for password, like keystoneclient. https://review.openstack.org/#/c/9497/ It's also documented here: http://wiki.openstack.org/KeyringSupport -- Regards, Bhuvaneswaran A www.livecipher.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
Sweet thx all :-) This is great and a step forward… https://blueprints.launchpad.net/openstack-common/+spec/pw-keyrings Now just to get it into those config files to use something similar (no passwords in those pweeease…) -Josh From: Bhuvaneswaran A bhu...@apache.orgmailto:bhu...@apache.org Date: Wednesday, August 22, 2012 4:15 PM To: Adam Young ayo...@redhat.commailto:ayo...@redhat.com Cc: openstack openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] Keyring support in openstack On Mon, Jul 30, 2012 at 5:48 PM, Adam Young ayo...@redhat.commailto:ayo...@redhat.com wrote: On 07/30/2012 06:00 PM, Doug Hellmann wrote: On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.commailto:ayo...@redhat.com wrote: On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? As mentioned in wiki page, the password is stored in base64 format. Which means it's stored in cleartext. That is Not Good(tm) :) Can Keyring be used to store a token instead? That would A) be better than password and B) avoid a Keystone hit. Don't tokens expire? Yes, they do, but that is no reason not to put them in the keyring, With the PKI tokens, you will be able to query a token's expiry without going across the wire. Adam, can you please file a ticket to use keyring to store tokens for keystone? I'll work on it. -- Regards, Bhuvaneswaran A www.livecipher.comhttp://www.livecipher.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On 08/22/2012 07:15 PM, Bhuvaneswaran A wrote: On Mon, Jul 30, 2012 at 5:48 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/30/2012 06:00 PM, Doug Hellmann wrote: On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? As mentioned in wiki page, the password is stored in base64 format. Which means it's stored in cleartext. That is Not Good(tm) :) Can Keyring be used to store a token instead? That would A) be better than password and B) avoid a Keystone hit. Don't tokens expire? Yes, they do, but that is no reason not to put them in the keyring, With the PKI tokens, you will be able to query a token's expiry without going across the wire. Adam, can you please file a ticket to use keyring to store tokens for keystone? I'll work on it. https://bugs.launchpad.net/keystone/+bug/1040361 -- Regards, Bhuvaneswaran A www.livecipher.com http://www.livecipher.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On Sun, Jul 29, 2012 at 1:37 AM, Bhuvaneswaran A bhu...@apache.org wrote: Team, As per patch https://review.openstack.org/#/c/9497/ we are adding keyring support for openstack client. If password is not specified in command line or environment variable, the user is prompted to enter password. During this time, the password is stored in keyring. During next time, the password is read from keyring, instead of prompt. It is true, if password is not specified in command line or environment variable. This behavior is documented in this wiki page: http://wiki.openstack.org/KeyringSupport If you have any comments, please let us know. You've already answered several of my questions on the ticket, but I still have some usability concerns. How does the keyring system support a single person logging in using multiple user accounts? For example, if I have an admin account and a regular user, how do I switch between them based on the operations I need to perform? Is there a way to disable the behavior of having a password saved to a keyring for a particular user, without uninstalling the python-keyring package (and therefore disabling keyring support for all users)? The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? The mention of one backend implies that there are others. Should we give users a way to choose the backend, in case they have a preference? How does the use of the keyring affect scripting using the command line tool? Can a script access the keyring, or does it need to use the other options? In one review comment you mention a few desktop apps that know how to manipulate the keyring to manage its contents. What about remote access via ssh, where a desktop environment is not available? Does the keyring library include tools for manipulating the file, or do we need to build our own? If so, what tools would be needed? Doug ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
I share Doug's concerns but would state some more strongly. IMO, it is simply unacceptable to modify user-visible behavior based on whether some package that happens to be used in an implementation is installed or not. This package is installed on Ubuntu by default and may be used by other applications that have nothing to do with OpenStack at all. The proposed behavior is biased towards a very simple use case of a single user with a password manually invoking commands at the shell. It is really up to the administrator of a machine with the client installed what the security policy should be. As Doug suggested, this change is a very small piece of an overall security architecture which is not well spelled out here. If we really want to go down this road there should be an environment variable that can be set to turn off this behavior for applications that do not want it. -David On 7/30/2012 9:31 AM, Doug Hellmann wrote: On Sun, Jul 29, 2012 at 1:37 AM, Bhuvaneswaran A bhu...@apache.org mailto:bhu...@apache.org wrote: Team, As per patch https://review.openstack.org/#/c/9497/ we are adding keyring support for openstack client. If password is not specified in command line or environment variable, the user is prompted to enter password. During this time, the password is stored in keyring. During next time, the password is read from keyring, instead of prompt. It is true, if password is not specified in command line or environment variable. This behavior is documented in this wiki page: http://wiki.openstack.org/KeyringSupport If you have any comments, please let us know. You've already answered several of my questions on the ticket, but I still have some usability concerns. How does the keyring system support a single person logging in using multiple user accounts? For example, if I have an admin account and a regular user, how do I switch between them based on the operations I need to perform? Is there a way to disable the behavior of having a password saved to a keyring for a particular user, without uninstalling the python-keyring package (and therefore disabling keyring support for all users)? The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? The mention of one backend implies that there are others. Should we give users a way to choose the backend, in case they have a preference? How does the use of the keyring affect scripting using the command line tool? Can a script access the keyring, or does it need to use the other options? In one review comment you mention a few desktop apps that know how to manipulate the keyring to manage its contents. What about remote access via ssh, where a desktop environment is not available? Does the keyring library include tools for manipulating the file, or do we need to build our own? If so, what tools would be needed? Doug ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On Mon, Jul 30, 2012 at 6:31 AM, Doug Hellmann doug.hellm...@dreamhost.com wrote: You've already answered several of my questions on the ticket, but I still have some usability concerns. How does the keyring system support a single person logging in using multiple user accounts? For example, if I have an admin account and a regular user, how do I switch between them based on the operations I need to perform? The password is stored in keyring, for a given user. It also support multiple users. The password is stored against the user specified in command line, --os-username or environment variable OS_USERNAME. The sample content of the keyring file ~/.openstack-keyring.cfg is as follows: [openstack] bhuvan = dG4wN2FjxA== test = xYwN2FjxA== Is there a way to disable the behavior of having a password saved to a keyring for a particular user, without uninstalling the python-keyring package (and therefore disabling keyring support for all users)? The simplest alternative is to specify password using other mechanism, in command line or environment variable. It's not possible to prevent using keyring, if password is not specified in any of these 2 mechanisms. The purpose of this patch is, to prevent password prompt. The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? As mentioned in wiki page, the password is stored in base64 format. The mention of one backend implies that there are others. Should we give users a way to choose the backend, in case they have a preference? python-keyring also support several other backends: 1.CryptedFileKeyring 2. GnomeKeyring 3. KDEKWallet 4. OSXKeychain 5. Win32CryptoKeyring 6. ... and more. The behaviour of these backends vary for each desktop. For instance, GnomeKeyring may prompt for keyring password, once per login session. CryptedFileKeyring may prompt for keyring password, every time. It's as good as not using keyring. How does the use of the keyring affect scripting using the command line tool? Can a script access the keyring, or does it need to use the other options? Yes. The script could be managed with any python script, using the same methods exposed in keyring python module. -- get_password() -- to get the password for given user. -- set_password() -- to set the password in keyring. In one review comment you mention a few desktop apps that know how to manipulate the keyring to manage its contents. What about remote access via ssh, where a desktop environment is not available? Does the keyring library include tools for manipulating the file, or do we need to build our own? If so, what tools would be needed? This was applicable for older patch, wherein we rely on desktop/environment specific backend. With older patch, if GNOME desktop is used, GnomeKeyring backend is used; if no desktop is used, CryptedFileKeyring backend is used. With new patch, irrespective of whether desktop is enabled, UncryptedFileKeyring backend is used. With this patch, the keyring behaviour is uniform across all systems in which we deploy openstack. In summary, the primary goal of this patch is to reuse the password entered in the prompt once, and prevent the user from entering the password again. Ultimately, the password is not exposed in environment or command line (ps). It also facilitate the automated script wherein the openstack client might be used. In such case, the password is not read from prompt, but from keyring. -- Regards, Bhuvaneswaran A www.livecipher.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
I like making it optional with a default of off. At least for now. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? As mentioned in wiki page, the password is stored in base64 format. Which means it's stored in cleartext. That is Not Good(tm) :) -- Kevin L. Mitchell kevin.mitch...@rackspace.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On Mon, Jul 30, 2012 at 4:50 PM, Bhuvaneswaran A bhu...@apache.org wrote: On Mon, Jul 30, 2012 at 6:31 AM, Doug Hellmann doug.hellm...@dreamhost.com wrote: You've already answered several of my questions on the ticket, but I still have some usability concerns. How does the keyring system support a single person logging in using multiple user accounts? For example, if I have an admin account and a regular user, how do I switch between them based on the operations I need to perform? The password is stored in keyring, for a given user. It also support multiple users. The password is stored against the user specified in command line, --os-username or environment variable OS_USERNAME. The sample content of the keyring file ~/.openstack-keyring.cfg is as follows: [openstack] bhuvan = dG4wN2FjxA== test = xYwN2FjxA== OK, that's good to know. Is there a way to disable the behavior of having a password saved to a keyring for a particular user, without uninstalling the python-keyring package (and therefore disabling keyring support for all users)? The simplest alternative is to specify password using other mechanism, in command line or environment variable. It's not possible to prevent using keyring, if password is not specified in any of these 2 mechanisms. The purpose of this patch is, to prevent password prompt. We're going to need to include a way in the openstack cli to disable the use of the keyring. There will be times when users won't want passwords saved to a keyring, or where the password that is in the keyring is wrong or shouldn't be used for some reason. It seems like an environment variable and a command line switch would cover all of the ways to turn the keyring off, don't you think? The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? As mentioned in wiki page, the password is stored in base64 format. That doesn't seem any more secure than an environment variable set from a user's login script. What benefit does keyring give us with this configuration? The mention of one backend implies that there are others. Should we give users a way to choose the backend, in case they have a preference? python-keyring also support several other backends: 1.CryptedFileKeyring 2. GnomeKeyring 3. KDEKWallet 4. OSXKeychain 5. Win32CryptoKeyring 6. ... and more. The behaviour of these backends vary for each desktop. For instance, GnomeKeyring may prompt for keyring password, once per login session. CryptedFileKeyring may prompt for keyring password, every time. It's as good as not using keyring. On the other hand, different users will be running in different configurations. Maybe they *do* have a desktop environment, and want to use one of those real keyring managers, instead of the simple INI file described above. Does the keyring library have some way to detect which backends are available at runtime? Or does the application (or user) have to specify one explicitly? How does the use of the keyring affect scripting using the command line tool? Can a script access the keyring, or does it need to use the other options? Yes. The script could be managed with any python script, using the same methods exposed in keyring python module. -- get_password() -- to get the password for given user. -- set_password() -- to set the password in keyring. I was not clear. I meant could a shell script running the new cli access the keyring. It sounds like that is not an issue, based on what you say below. In one review comment you mention a few desktop apps that know how to manipulate the keyring to manage its contents. What about remote access via ssh, where a desktop environment is not available? Does the keyring library include tools for manipulating the file, or do we need to build our own? If so, what tools would be needed? This was applicable for older patch, wherein we rely on desktop/environment specific backend. With older patch, if GNOME desktop is used, GnomeKeyring backend is used; if no desktop is used, CryptedFileKeyring backend is used. With new patch, irrespective of whether desktop is enabled, UncryptedFileKeyring backend is used. With this patch, the keyring behaviour is uniform across all systems in which we deploy openstack. That resolves my concern, but does not seem to give us any useful features. We could achieve the same effect using just the environment variable. It seems like we want to use the best keyring method available, if we're going to use one at all. In summary, the primary goal of this patch is to reuse the password entered in the prompt once, and prevent the user from entering the password again. Ultimately, the password is not exposed in environment or command line (ps). It also facilitate the
Re: [Openstack] Keyring support in openstack
On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? As mentioned in wiki page, the password is stored in base64 format. Which means it's stored in cleartext. That is Not Good(tm) :) Can Keyring be used to store a token instead? That would A) be better than password and B) avoid a Keystone hit. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keyring support in openstack
On 07/30/2012 06:00 PM, Doug Hellmann wrote: On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote: On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote: The wiki mentions the password being saved using keyring.backend.UncryptedFileKeyring. Does that mean the password is saved in cleartext? Is the file protected in some way besides filesystem permissions? As mentioned in wiki page, the password is stored in base64 format. Which means it's stored in cleartext. That is Not Good(tm) :) Can Keyring be used to store a token instead? That would A) be better than password and B) avoid a Keystone hit. Don't tokens expire? Yes, they do, but that is no reason not to put them in the keyring, With the PKI tokens, you will be able to query a token's expiry without going across the wire. Doug ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Keyring support in openstack
Team, As per patch https://review.openstack.org/#/c/9497/ we are adding keyring support for openstack client. If password is not specified in command line or environment variable, the user is prompted to enter password. During this time, the password is stored in keyring. During next time, the password is read from keyring, instead of prompt. It is true, if password is not specified in command line or environment variable. This behavior is documented in this wiki page: http://wiki.openstack.org/KeyringSupport If you have any comments, please let us know. Thank you, -- Regards, Bhuvaneswaran A www.livecipher.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp