Re: [Openstack] Keyring support in openstack

2012-08-23 Thread Scott Moser
On Sat, 28 Jul 2012, Bhuvaneswaran A wrote:

 Team,

 As per patch https://review.openstack.org/#/c/9497/ we are adding
 keyring support for openstack client.  If password is not specified
 in command line or environment variable, the user is prompted to enter
 password. During this time, the password is stored in keyring. During
 next time, the password is read from keyring, instead of prompt. It is
 true, if password is not specified in command line or environment
 variable.

 This behavior is documented in this wiki page:
   http://wiki.openstack.org/KeyringSupport

I haven' tried this specifically for the openstack client, but when this
went into nova, it annoyed me, as I started having to give a password on
remote systems every time.  For the devstack instances I was working on, I
honestly couldn't care less about security, and wanted to not be bothered.

For others looking for something similar, here is the 'keyringrc.cfg' file
that you need.  Put it either in ~/ or in the current working directory
(strange).

--- keyringrc.cfg ---
# This is an example keyringrc.cfg file that allows python-keyring
# to use the UncryptedFileKeyring.
# See /usr/share/doc/python-keyring/README.gz for more info.
# Note, this works, but I see the following significant issues with it:
# * python-keyring goes looking for 'keyringrc.cfg' in the current working
#   directory and user's home directory.  Note, specifically it does *not*
#   look for ~/.keyringrc.cfg (which would be more common)
# * no environment variable can affect the path read for ~/keyringrc.cfg
#   this means you're stuck with one of the following options if you
#   wanted to somehow maintain that one app (that you do not care about)
#   use UncryptedFileKeyring while all other apps use a different:
#* keep 'HOME' environment variable set when that app is used to
#  something other than your home. and maintain $HOME/keyringrc.cfg
#* keep the current working directory when that app is used to a given
#  working directory.
#   I think it'd be much nicer if I could affect this with
#   'PYTHON_KEYRING_CFG'
#   or if the config file had some apt specific stuff.
# * UncryptedFileKeyring writes its data to a file named keyring_pass.cfg
#   in the home directory, and does not pay attention to 'keyring-path'
# * UncryptedFileKeyring laughably creates keyring_pass.cfg its password
#   file with default umask meaning in most cases it is world readable
#   I've opened bug http://pad.lv/1023433 to track these.
[backend]
default-keyring=keyring.backend.UncryptedFileKeyring
keyring-path=/home/ubuntu/xxx # this is ignored

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-08-23 Thread Bhuvaneswaran A
On Thu, Aug 23, 2012 at 7:10 AM, Scott Moser smo...@ubuntu.com wrote:

 .
 [backend]
 default-keyring=keyring.backend.UncryptedFileKeyring
 keyring-path=/home/ubuntu/xxx # this is ignored


As you might already know, the keyring.backend.UncryptedFileKeyring will
store the password as in base64 format. If you are concerned about
security, but wouldn't wish to enter keyring password, you might use
openstackclient.common.openstackkeyring backend. As part of this patch, we
have written a keyring backend for openstack to store encrypted password in
keyring, withouth prompting for keyring password.

-- 
Regards,
Bhuvaneswaran A
www.livecipher.com
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-08-22 Thread Bhuvaneswaran A
On Mon, Jul 30, 2012 at 5:48 PM, Adam Young ayo...@redhat.com wrote:

  On 07/30/2012 06:00 PM, Doug Hellmann wrote:



 On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com wrote:

 On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

 On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

  The wiki mentions the password being saved using
 keyring.backend.UncryptedFileKeyring. Does that mean the password is

 saved

 in cleartext? Is the file protected in some way besides filesystem
 permissions?

 As mentioned in wiki page, the password is stored in base64 format.

 Which means it's stored in cleartext.  That is Not Good(tm) :)

  Can Keyring be used to store a token instead?  That would A)  be better
 than password and B)  avoid a Keystone hit.


  Don't tokens expire?



 Yes, they do, but that is no reason not to put them in the keyring,

 With the PKI tokens,  you will be able to query a token's expiry without
 going across the wire.


Adam, can you please file a ticket to use keyring to store tokens for
keystone? I'll work on it.
-- 
Regards,
Bhuvaneswaran A
www.livecipher.com
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-08-22 Thread Bhuvaneswaran A
On Mon, Jul 30, 2012 at 2:30 PM, Doug Hellmann
doug.hellm...@dreamhost.comwrote:



 On Mon, Jul 30, 2012 at 4:51 PM, Bhuvaneswaran A bhu...@apache.orgwrote:

 On Mon, Jul 30, 2012 at 7:46 AM, David Kranz david.kr...@qrclab.com
 wrote:
  I share Doug's concerns but would state some more strongly. IMO, it is
  simply unacceptable to modify user-visible behavior based on whether
 some
  package that happens to be used in an implementation is installed or
 not.
  This package is installed on Ubuntu by default and may be used by other
  applications that have nothing to do with OpenStack at all.

 Yes, as python-keyring is installed in almost all systems, the
 behaviour is unchanged.

  If we really want to go down this road there should be an environment
  variable that can be set to turn off this behavior for applications
 that do
  not want it.

 David, good point. I'll revise the patch to not use keyring, if
 environment variable USE_KEYRING=0. If environment variable is not set
 or if it is USE_KEYRING=1, then keyring is used to store password.


 How about OS_USE_KEYRING so it is clearer that the variable is related to
 openstack?


Just to close the loop ...

Doug, thank you for all the review comments. The patch to store encrypted
password in keyring, for openstackclient, is merged today: I''ll extend
this feature to other clients that prompt for password, like keystoneclient.
  https://review.openstack.org/#/c/9497/

It's also documented here:
  http://wiki.openstack.org/KeyringSupport
-- 
Regards,
Bhuvaneswaran A
www.livecipher.com
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-08-22 Thread Joshua Harlow
Sweet thx all :-)

This is great and a step forward…

https://blueprints.launchpad.net/openstack-common/+spec/pw-keyrings

Now just to get it into those config files to use something similar (no 
passwords in those pweeease…)

-Josh

From: Bhuvaneswaran A bhu...@apache.orgmailto:bhu...@apache.org
Date: Wednesday, August 22, 2012 4:15 PM
To: Adam Young ayo...@redhat.commailto:ayo...@redhat.com
Cc: openstack 
openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net
Subject: Re: [Openstack] Keyring support in openstack



On Mon, Jul 30, 2012 at 5:48 PM, Adam Young 
ayo...@redhat.commailto:ayo...@redhat.com wrote:
On 07/30/2012 06:00 PM, Doug Hellmann wrote:


On Mon, Jul 30, 2012 at 5:30 PM, Adam Young 
ayo...@redhat.commailto:ayo...@redhat.com wrote:
On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:
On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:
The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean the password is
saved
in cleartext? Is the file protected in some way besides filesystem
permissions?
As mentioned in wiki page, the password is stored in base64 format.
Which means it's stored in cleartext.  That is Not Good(tm) :)
Can Keyring be used to store a token instead?  That would A)  be better than 
password and B)  avoid a Keystone hit.

Don't tokens expire?


Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry without going 
across the wire.

Adam, can you please file a ticket to use keyring to store tokens for keystone? 
I'll work on it.
--
Regards,
Bhuvaneswaran A
www.livecipher.comhttp://www.livecipher.com
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-08-22 Thread Adam Young

On 08/22/2012 07:15 PM, Bhuvaneswaran A wrote:



On Mon, Jul 30, 2012 at 5:48 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 07/30/2012 06:00 PM, Doug Hellmann wrote:



On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com
mailto:ayo...@redhat.com wrote:

On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that
mean the password is

saved

in cleartext? Is the file protected in some way
besides filesystem
permissions?

As mentioned in wiki page, the password is stored in
base64 format.

Which means it's stored in cleartext.  That is Not
Good(tm) :)

Can Keyring be used to store a token instead?  That would A)
 be better than password and B)  avoid a Keystone hit.


Don't tokens expire?



Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry
without going across the wire.


Adam, can you please file a ticket to use keyring to store tokens for 
keystone? I'll work on it.

https://bugs.launchpad.net/keystone/+bug/1040361



--
Regards,
Bhuvaneswaran A
www.livecipher.com http://www.livecipher.com


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Doug Hellmann
On Sun, Jul 29, 2012 at 1:37 AM, Bhuvaneswaran A bhu...@apache.org wrote:

 Team,

 As per patch https://review.openstack.org/#/c/9497/ we are adding
 keyring support for openstack client.  If password is not specified
 in command line or environment variable, the user is prompted to enter
 password. During this time, the password is stored in keyring. During
 next time, the password is read from keyring, instead of prompt. It is
 true, if password is not specified in command line or environment
 variable.

 This behavior is documented in this wiki page:
   http://wiki.openstack.org/KeyringSupport

 If you have any comments, please let us know.


You've already answered several of my questions on the ticket, but I still
have some usability concerns.

How does the keyring system support a single person logging in using
multiple user accounts? For example, if I have an admin account and a
regular user, how do I switch between them based on the operations I need
to perform?

Is there a way to disable the behavior of having a password saved to a
keyring for a particular user, without uninstalling the python-keyring
package (and therefore disabling keyring support for all users)?

The wiki mentions the password being saved
using keyring.backend.UncryptedFileKeyring. Does that mean the password is
saved in cleartext? Is the file protected in some way besides filesystem
permissions?

The mention of one backend implies that there are others. Should we give
users a way to choose the backend, in case they have a preference?

How does the use of the keyring affect scripting using the command line
tool? Can a script access the keyring, or does it need to use the other
options?

In one review comment you mention a few desktop apps that know how to
manipulate the keyring to manage its contents. What about remote access via
ssh, where a desktop environment is not available? Does the keyring library
include tools for manipulating the file, or do we need to build our own? If
so, what tools would be needed?

Doug
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-07-30 Thread David Kranz
I share Doug's concerns but would state some more strongly. IMO, it is 
simply unacceptable to modify user-visible behavior based on whether 
some package that happens to be used in an implementation is installed 
or not. This package is installed on Ubuntu by default and may be used 
by other applications that have nothing to do with OpenStack at all.


The proposed behavior is biased towards a very simple use case of a 
single user with a password manually invoking commands at the shell. It 
is really up to the administrator of a machine with the client installed 
what the security policy should be. As Doug suggested, this change is a 
very small piece of an overall security architecture which is not well 
spelled out here.


If we really want to go down this road there should be an environment 
variable that can be set to turn off this behavior for applications that 
do not want it.


 -David

On 7/30/2012 9:31 AM, Doug Hellmann wrote:



On Sun, Jul 29, 2012 at 1:37 AM, Bhuvaneswaran A bhu...@apache.org 
mailto:bhu...@apache.org wrote:


Team,

As per patch https://review.openstack.org/#/c/9497/ we are adding
keyring support for openstack client.  If password is not specified
in command line or environment variable, the user is prompted to enter
password. During this time, the password is stored in keyring. During
next time, the password is read from keyring, instead of prompt. It is
true, if password is not specified in command line or environment
variable.

This behavior is documented in this wiki page:
http://wiki.openstack.org/KeyringSupport

If you have any comments, please let us know.


You've already answered several of my questions on the ticket, but I 
still have some usability concerns.


How does the keyring system support a single person logging in using 
multiple user accounts? For example, if I have an admin account and a 
regular user, how do I switch between them based on the operations I 
need to perform?


Is there a way to disable the behavior of having a password saved to a 
keyring for a particular user, without uninstalling the python-keyring 
package (and therefore disabling keyring support for all users)?


The wiki mentions the password being saved 
using keyring.backend.UncryptedFileKeyring. Does that mean the 
password is saved in cleartext? Is the file protected in some way 
besides filesystem permissions?


The mention of one backend implies that there are others. Should we 
give users a way to choose the backend, in case they have a preference?


How does the use of the keyring affect scripting using the command 
line tool? Can a script access the keyring, or does it need to use the 
other options?


In one review comment you mention a few desktop apps that know how to 
manipulate the keyring to manage its contents. What about remote 
access via ssh, where a desktop environment is not available? Does the 
keyring library include tools for manipulating the file, or do we need 
to build our own? If so, what tools would be needed?


Doug



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Bhuvaneswaran A
On Mon, Jul 30, 2012 at 6:31 AM, Doug Hellmann
doug.hellm...@dreamhost.com wrote:

 You've already answered several of my questions on the ticket, but I still
 have some usability concerns.

 How does the keyring system support a single person logging in using
 multiple user accounts? For example, if I have an admin account and a
 regular user, how do I switch between them based on the operations I need
 to perform?

The password is stored in keyring, for a given user. It also support
multiple users. The password is stored against the user specified in
command line, --os-username or environment variable OS_USERNAME.

The sample content of the keyring file ~/.openstack-keyring.cfg is as follows:
[openstack]
bhuvan = dG4wN2FjxA==
test = xYwN2FjxA==

 Is there a way to disable the behavior of having a password saved to a
 keyring for a particular user, without uninstalling the python-keyring
 package (and therefore disabling keyring support for all users)?

The simplest alternative is to specify password using other mechanism,
in command line or environment variable. It's not possible to prevent
using keyring, if password is not specified in any of these 2
mechanisms. The purpose of this patch is, to prevent password prompt.

 The wiki mentions the password being saved using
 keyring.backend.UncryptedFileKeyring. Does that mean the password is saved
 in cleartext? Is the file protected in some way besides filesystem
 permissions?

As mentioned in wiki page, the password is stored in base64 format.

 The mention of one backend implies that there are others. Should we give
 users a way to choose the backend, in case they have a preference?

python-keyring also support several other backends:
  1.CryptedFileKeyring
  2. GnomeKeyring
  3. KDEKWallet
  4. OSXKeychain
  5. Win32CryptoKeyring
  6. ... and more.

The behaviour of these backends vary for each desktop. For instance,
GnomeKeyring may prompt for keyring password, once per login session.
CryptedFileKeyring may prompt for keyring password, every time. It's
as good as not using keyring.

 How does the use of the keyring affect scripting using the command line
 tool? Can a script access the keyring, or does it need to use the other
 options?

Yes. The script could be managed with any python script, using the
same methods exposed in keyring python module.
  -- get_password() -- to get the password for given user.
  -- set_password() -- to set the password in keyring.

 In one review comment you mention a few desktop apps that know how to
 manipulate the keyring to manage its contents. What about remote access via
 ssh, where a desktop environment is not available? Does the keyring library
 include tools for manipulating the file, or do we need to build our own? If
 so, what tools would be needed?

This was applicable for older patch, wherein we rely on
desktop/environment specific backend. With older patch, if GNOME
desktop is used, GnomeKeyring backend is used; if no desktop is used,
CryptedFileKeyring backend is used. With new patch, irrespective of
whether desktop is enabled, UncryptedFileKeyring backend is used. With
this patch, the keyring behaviour is uniform across all systems in
which we deploy openstack.

In summary, the primary goal of this patch is to reuse the password
entered in the prompt once, and prevent the user from entering the
password again. Ultimately, the password is not exposed in environment
or command line (ps). It also facilitate the automated script wherein
the openstack client might be used. In such case, the password is
not read from prompt, but from keyring.
-- 
Regards,
Bhuvaneswaran A
www.livecipher.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Matt Joyce
I like making it optional with a default of off.  At least for now.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Kevin L. Mitchell
On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:
  The wiki mentions the password being saved using
  keyring.backend.UncryptedFileKeyring. Does that mean the password is
 saved
  in cleartext? Is the file protected in some way besides filesystem
  permissions?
 
 As mentioned in wiki page, the password is stored in base64 format. 

Which means it's stored in cleartext.  That is Not Good(tm) :)
-- 
Kevin L. Mitchell kevin.mitch...@rackspace.com


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Doug Hellmann
On Mon, Jul 30, 2012 at 4:50 PM, Bhuvaneswaran A bhu...@apache.org wrote:

 On Mon, Jul 30, 2012 at 6:31 AM, Doug Hellmann
 doug.hellm...@dreamhost.com wrote:

  You've already answered several of my questions on the ticket, but I
 still
  have some usability concerns.
 
  How does the keyring system support a single person logging in using
  multiple user accounts? For example, if I have an admin account and a
  regular user, how do I switch between them based on the operations I
 need
  to perform?

 The password is stored in keyring, for a given user. It also support
 multiple users. The password is stored against the user specified in
 command line, --os-username or environment variable OS_USERNAME.

 The sample content of the keyring file ~/.openstack-keyring.cfg is as
 follows:
 [openstack]
 bhuvan = dG4wN2FjxA==
 test = xYwN2FjxA==


OK, that's good to know.



  Is there a way to disable the behavior of having a password saved to a
  keyring for a particular user, without uninstalling the python-keyring
  package (and therefore disabling keyring support for all users)?

 The simplest alternative is to specify password using other mechanism,
 in command line or environment variable. It's not possible to prevent
 using keyring, if password is not specified in any of these 2
 mechanisms. The purpose of this patch is, to prevent password prompt.


We're going to need to include a way in the openstack cli to disable the
use of the keyring. There will be times when users won't want passwords
saved to a keyring, or where the password that is in the keyring is wrong
or shouldn't be used for some reason. It seems like an environment variable
and a command line switch would cover all of the ways to turn the keyring
off, don't you think?



  The wiki mentions the password being saved using
  keyring.backend.UncryptedFileKeyring. Does that mean the password is
 saved
  in cleartext? Is the file protected in some way besides filesystem
  permissions?

 As mentioned in wiki page, the password is stored in base64 format.


That doesn't seem any more secure than an environment variable set from a
user's login script. What benefit does keyring give us with this
configuration?



  The mention of one backend implies that there are others. Should we give
  users a way to choose the backend, in case they have a preference?

 python-keyring also support several other backends:
   1.CryptedFileKeyring
   2. GnomeKeyring
   3. KDEKWallet
   4. OSXKeychain
   5. Win32CryptoKeyring
   6. ... and more.

 The behaviour of these backends vary for each desktop. For instance,
 GnomeKeyring may prompt for keyring password, once per login session.
 CryptedFileKeyring may prompt for keyring password, every time. It's
 as good as not using keyring.


On the other hand, different users will be running in different
configurations. Maybe they *do* have a desktop environment, and want to use
one of those real keyring managers, instead of the simple INI file
described above. Does the keyring library have some way to detect which
backends are available at runtime? Or does the application (or user) have
to specify one explicitly?



  How does the use of the keyring affect scripting using the command line
  tool? Can a script access the keyring, or does it need to use the other
  options?

 Yes. The script could be managed with any python script, using the
 same methods exposed in keyring python module.
   -- get_password() -- to get the password for given user.
   -- set_password() -- to set the password in keyring.


I was not clear. I meant could a shell script running the new cli access
the keyring. It sounds like that is not an issue, based on what you say
below.



  In one review comment you mention a few desktop apps that know how to
  manipulate the keyring to manage its contents. What about remote access
 via
  ssh, where a desktop environment is not available? Does the keyring
 library
  include tools for manipulating the file, or do we need to build our own?
 If
  so, what tools would be needed?

 This was applicable for older patch, wherein we rely on
 desktop/environment specific backend. With older patch, if GNOME
 desktop is used, GnomeKeyring backend is used; if no desktop is used,
 CryptedFileKeyring backend is used. With new patch, irrespective of
 whether desktop is enabled, UncryptedFileKeyring backend is used. With
 this patch, the keyring behaviour is uniform across all systems in
 which we deploy openstack.


That resolves my concern, but does not seem to give us any useful features.
We could achieve the same effect using just the environment variable. It
seems like we want to use the best keyring method available, if we're
going to use one at all.



 In summary, the primary goal of this patch is to reuse the password
 entered in the prompt once, and prevent the user from entering the
 password again. Ultimately, the password is not exposed in environment
 or command line (ps). It also facilitate the 

Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Adam Young

On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean the password is

saved

in cleartext? Is the file protected in some way besides filesystem
permissions?

As mentioned in wiki page, the password is stored in base64 format.

Which means it's stored in cleartext.  That is Not Good(tm) :)
Can Keyring be used to store a token instead?  That would A)  be better 
than password and B)  avoid a Keystone hit.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Re: [Openstack] Keyring support in openstack

2012-07-30 Thread Adam Young

On 07/30/2012 06:00 PM, Doug Hellmann wrote:



On Mon, Jul 30, 2012 at 5:30 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean
the password is

saved

in cleartext? Is the file protected in some way
besides filesystem
permissions?

As mentioned in wiki page, the password is stored in
base64 format.

Which means it's stored in cleartext.  That is Not Good(tm) :)

Can Keyring be used to store a token instead?  That would A)  be
better than password and B)  avoid a Keystone hit.


Don't tokens expire?



Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry without 
going across the wire.






Doug



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


[Openstack] Keyring support in openstack

2012-07-28 Thread Bhuvaneswaran A
Team,

As per patch https://review.openstack.org/#/c/9497/ we are adding
keyring support for openstack client.  If password is not specified
in command line or environment variable, the user is prompted to enter
password. During this time, the password is stored in keyring. During
next time, the password is read from keyring, instead of prompt. It is
true, if password is not specified in command line or environment
variable.

This behavior is documented in this wiki page:
  http://wiki.openstack.org/KeyringSupport

If you have any comments, please let us know.

Thank you,
-- 
Regards,
Bhuvaneswaran A
www.livecipher.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp