Re: [Openstack] Keyring support in openstack

[Bhuvaneswaran A]

On Thu, Aug 23, 2012 at 7:10 AM, Scott Moser  wrote:

> .
> [backend]
> default-keyring=keyring.backend.UncryptedFileKeyring
> keyring-path=/home/ubuntu/xxx # this is ignored
>

As you might already know, the keyring.backend.UncryptedFileKeyring will
store the password as in base64 format. If you are concerned about
security, but wouldn't wish to enter "keyring" password, you might use
openstackclient.common.openstackkeyring backend. As part of this patch, we
have written a keyring backend for openstack to store encrypted password in
keyring, withouth prompting for "keyring" password.

-- 
Regards,
Bhuvaneswaran A
www.livecipher.com
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Vishvananda Ishaya]

On Aug 23, 2012, at 7:10 AM, Scott Moser  wrote:

> I haven' tried this specifically for the openstack client, but when this
> went into nova, it annoyed me, as I started having to give a password on
> remote systems every time.  For the devstack instances I was working on, I
> honestly couldn't care less about security, and wanted to not be bothered.

I think we were all annoyed by this. FYI to get the old (non-cache) behavior
for nova:

export OS_NO_CACHE=1

Devstack now sets this by default but you can override it in your localrc if
you really like the password prompt.

Vish

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Scott Moser]

On Sat, 28 Jul 2012, Bhuvaneswaran A wrote:

> Team,
>
> As per patch https://review.openstack.org/#/c/9497/ we are adding
> keyring support for "openstack" client.  If password is not specified
> in command line or environment variable, the user is prompted to enter
> password. During this time, the password is stored in keyring. During
> next time, the password is read from keyring, instead of prompt. It is
> true, if password is not specified in command line or environment
> variable.
>
> This behavior is documented in this wiki page:
>   http://wiki.openstack.org/KeyringSupport

I haven' tried this specifically for the openstack client, but when this
went into nova, it annoyed me, as I started having to give a password on
remote systems every time.  For the devstack instances I was working on, I
honestly couldn't care less about security, and wanted to not be bothered.

For others looking for something similar, here is the 'keyringrc.cfg' file
that you need.  Put it either in ~/ or in the current working directory
(strange).

--- keyringrc.cfg ---
# This is an example keyringrc.cfg file that allows python-keyring
# to use the UncryptedFileKeyring.
# See /usr/share/doc/python-keyring/README.gz for more info.
# Note, this works, but I see the following significant issues with it:
# * python-keyring goes looking for 'keyringrc.cfg' in the current working
#   directory and user's home directory.  Note, specifically it does *not*
#   look for ~/.keyringrc.cfg (which would be more common)
# * no environment variable can affect the path read for ~/keyringrc.cfg
#   this means you're stuck with one of the following options if you
#   wanted to somehow maintain that one app (that you do not care about)
#   use UncryptedFileKeyring while all other apps use a different:
#* keep 'HOME' environment variable set when that app is used to
#  something other than your home. and maintain $HOME/keyringrc.cfg
#* keep the current working directory when that app is used to a given
#  working directory.
#   I think it'd be much nicer if I could affect this with
#   'PYTHON_KEYRING_CFG'
#   or if the config file had some apt specific stuff.
# * UncryptedFileKeyring writes its data to a file named keyring_pass.cfg
#   in the home directory, and does not pay attention to 'keyring-path'
# * UncryptedFileKeyring laughably creates keyring_pass.cfg its password
#   file with default umask meaning in most cases it is world readable
#   I've opened bug http://pad.lv/1023433 to track these.
[backend]
default-keyring=keyring.backend.UncryptedFileKeyring
keyring-path=/home/ubuntu/xxx # this is ignored

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Adam Young]

On 08/22/2012 07:15 PM, Bhuvaneswaran A wrote:



On Mon, Jul 30, 2012 at 5:48 PM, Adam Young > wrote:


On 07/30/2012 06:00 PM, Doug Hellmann wrote:



On Mon, Jul 30, 2012 at 5:30 PM, Adam Young mailto:ayo...@redhat.com>> wrote:

On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that
mean the password is

saved

in cleartext? Is the file protected in some way
besides filesystem
permissions?

As mentioned in wiki page, the password is stored in
base64 format.

Which means it's stored in cleartext.  That is Not
Good(tm) :)

Can Keyring be used to store a token instead?  That would A)
 be better than password and B)  avoid a Keystone hit.


Don't tokens expire?



Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry
without going across the wire.


Adam, can you please file a ticket to use keyring to store tokens for 
keystone? I'll work on it.

https://bugs.launchpad.net/keystone/+bug/1040361



--
Regards,
Bhuvaneswaran A
www.livecipher.com 


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Joshua Harlow]

Sweet thx all :-)

This is great and a step forward…

https://blueprints.launchpad.net/openstack-common/+spec/pw-keyrings

Now just to get it into those config files to use something similar (no 
passwords in those pweeease…)

-Josh

From: Bhuvaneswaran A mailto:bhu...@apache.org>>
Date: Wednesday, August 22, 2012 4:15 PM
To: Adam Young mailto:ayo...@redhat.com>>
Cc: openstack 
mailto:openstack@lists.launchpad.net>>
Subject: Re: [Openstack] Keyring support in openstack



On Mon, Jul 30, 2012 at 5:48 PM, Adam Young 
mailto:ayo...@redhat.com>> wrote:
On 07/30/2012 06:00 PM, Doug Hellmann wrote:


On Mon, Jul 30, 2012 at 5:30 PM, Adam Young 
mailto:ayo...@redhat.com>> wrote:
On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:
On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:
The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean the password is
saved
in cleartext? Is the file protected in some way besides filesystem
permissions?
As mentioned in wiki page, the password is stored in base64 format.
Which means it's stored in cleartext.  That is Not Good(tm) :)
Can Keyring be used to store a token instead?  That would A)  be better than 
password and B)  avoid a Keystone hit.

Don't tokens expire?


Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry without going 
across the wire.

Adam, can you please file a ticket to use keyring to store tokens for keystone? 
I'll work on it.
--
Regards,
Bhuvaneswaran A
www.livecipher.com<http://www.livecipher.com>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Bhuvaneswaran A]

On Mon, Jul 30, 2012 at 2:30 PM, Doug Hellmann
wrote:

>
>
> On Mon, Jul 30, 2012 at 4:51 PM, Bhuvaneswaran A wrote:
>
>> On Mon, Jul 30, 2012 at 7:46 AM, David Kranz 
>> wrote:
>> > I share Doug's concerns but would state some more strongly. IMO, it is
>> > simply unacceptable to modify user-visible behavior based on whether
>> some
>> > package that happens to be used in an implementation is installed or
>> not.
>> > This package is installed on Ubuntu by default and may be used by other
>> > applications that have nothing to do with OpenStack at all.
>>
>> Yes, as python-keyring is installed in almost all systems, the
>> behaviour is unchanged.
>>
>> > If we really want to go down this road there should be an environment
>> > variable that can be set to turn off this behavior for applications
>> that do
>> > not want it.
>>
>> David, good point. I'll revise the patch to not use keyring, if
>> environment variable USE_KEYRING=0. If environment variable is not set
>> or if it is USE_KEYRING=1, then keyring is used to store password.
>>
>
> How about OS_USE_KEYRING so it is clearer that the variable is related to
> openstack?
>

Just to close the loop ...

Doug, thank you for all the review comments. The patch to store encrypted
password in keyring, for openstackclient, is merged today: I''ll extend
this feature to other clients that prompt for password, like keystoneclient.
  https://review.openstack.org/#/c/9497/

It's also documented here:
  http://wiki.openstack.org/KeyringSupport
-- 
Regards,
Bhuvaneswaran A
www.livecipher.com
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Bhuvaneswaran A]

On Mon, Jul 30, 2012 at 5:48 PM, Adam Young  wrote:

>  On 07/30/2012 06:00 PM, Doug Hellmann wrote:
>
>
>
> On Mon, Jul 30, 2012 at 5:30 PM, Adam Young  wrote:
>
>> On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:
>>
>>> On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:
>>>
  The wiki mentions the password being saved using
> keyring.backend.UncryptedFileKeyring. Does that mean the password is
>
 saved

> in cleartext? Is the file protected in some way besides filesystem
> permissions?
>
 As mentioned in wiki page, the password is stored in base64 format.

>>> Which means it's stored in cleartext.  That is Not Good(tm) :)
>>>
>>  Can Keyring be used to store a token instead?  That would A)  be better
>> than password and B)  avoid a Keystone hit.
>
>
>  Don't tokens expire?
>
>
>
> Yes, they do, but that is no reason not to put them in the keyring,
>
> With the PKI tokens,  you will be able to query a token's expiry without
> going across the wire.
>

Adam, can you please file a ticket to use keyring to store tokens for
keystone? I'll work on it.
-- 
Regards,
Bhuvaneswaran A
www.livecipher.com
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Sandy Walsh]

I added similar functionality to novaclient. There is a --nocache option to 
ignore the cache and the 'import keyring' check is just to keep it from 
crashing on non-supported systems. 

I key off the following: auth url + username + service name + region to prevent 
conflicts with other users.

Hope it helps!

-S



From: openstack-bounces+sandy.walsh=rackspace@lists.launchpad.net 
[openstack-bounces+sandy.walsh=rackspace@lists.launchpad.net] on behalf of 
Bhuvaneswaran A [bhu...@apache.org]
Sent: Monday, July 30, 2012 5:50 PM
To: openstack@lists.launchpad.net
Subject: Re: [Openstack] Keyring support in openstack

On Mon, Jul 30, 2012 at 6:31 AM, Doug Hellmann
 wrote:

> You've already answered several of my questions on the ticket, but I still
> have some "usability" concerns.
>
> How does the keyring system support a single person logging in using
> multiple user accounts? For example, if I have an admin account and a
> "regular" user, how do I switch between them based on the operations I need
> to perform?

The password is stored in keyring, for a given user. It also support
multiple users. The password is stored against the user specified in
command line, --os-username or environment variable OS_USERNAME.

The sample content of the keyring file ~/.openstack-keyring.cfg is as follows:
[openstack]
bhuvan = dG4wN2FjxA==
test = xYwN2FjxA==

> Is there a way to disable the behavior of having a password saved to a
> keyring for a particular user, without uninstalling the python-keyring
> package (and therefore disabling keyring support for all users)?

The simplest alternative is to specify password using other mechanism,
in command line or environment variable. It's not possible to prevent
using keyring, if password is not specified in any of these 2
mechanisms. The purpose of this patch is, to prevent password prompt.

> The wiki mentions the password being saved using
> keyring.backend.UncryptedFileKeyring. Does that mean the password is saved
> in cleartext? Is the file protected in some way besides filesystem
> permissions?

As mentioned in wiki page, the password is stored in base64 format.

> The mention of one backend implies that there are others. Should we give
> users a way to choose the backend, in case they have a preference?

python-keyring also support several other backends:
  1.CryptedFileKeyring
  2. GnomeKeyring
  3. KDEKWallet
  4. OSXKeychain
  5. Win32CryptoKeyring
  6. ... and more.

The behaviour of these backends vary for each desktop. For instance,
GnomeKeyring may prompt for keyring password, once per login session.
CryptedFileKeyring may prompt for keyring password, every time. It's
as good as not using keyring.

> How does the use of the keyring affect scripting using the command line
> tool? Can a script access the keyring, or does it need to use the other
> options?

Yes. The script could be managed with any python script, using the
same methods exposed in "keyring" python module.
  -- get_password() -- to get the password for given user.
  -- set_password() -- to set the password in keyring.

> In one review comment you mention a few desktop apps that know how to
> manipulate the keyring to manage its contents. What about remote access via
> ssh, where a desktop environment is not available? Does the keyring library
> include tools for manipulating the file, or do we need to build our own? If
> so, what tools would be needed?

This was applicable for older patch, wherein we rely on
desktop/environment specific backend. With older patch, if GNOME
desktop is used, GnomeKeyring backend is used; if no desktop is used,
CryptedFileKeyring backend is used. With new patch, irrespective of
whether desktop is enabled, UncryptedFileKeyring backend is used. With
this patch, the keyring behaviour is uniform across all systems in
which we deploy openstack.

In summary, the primary goal of this patch is to reuse the password
entered in the prompt once, and prevent the user from entering the
password again. Ultimately, the password is not exposed in environment
or command line (ps). It also facilitate the automated script wherein
the "openstack" client might be used. In such case, the password is
not read from prompt, but from keyring.
--
Regards,
Bhuvaneswaran A
www.livecipher.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Bhuvaneswaran A]

Doug and Team,
I tweaked the patch to incorporate the review comments. I've included
an abstract class for keyring, specific to openstack
"openstackkeyring". The class is used to store encrypted password in
keyring, without prompting for keyring password. The password is
encrypted using AES algorithm.  It is similar to
keyring.backend.CryptedFileKeyring, except it'll not prompt for
keyring password.

As David and Matt suggested, with the new patch, the keyring is used
only if OS_USE_KEYRING environment variable is set. If OS_USE_KEYRING
is not set, the default behavior to prompt for password is preserved.

The openstackkeyring library will be added in openstack.common, to use
it for other projects. Once the current patch goes in, we'll extend
same keyring to store tokens as well.

In case you got questions, please let me know.

On Mon, Jul 30, 2012 at 2:30 PM, Doug Hellmann
 wrote:
>
>
> On Mon, Jul 30, 2012 at 4:51 PM, Bhuvaneswaran A  wrote:
>>
>> On Mon, Jul 30, 2012 at 7:46 AM, David Kranz 
>> wrote:
>> > I share Doug's concerns but would state some more strongly. IMO, it is
>> > simply unacceptable to modify user-visible behavior based on whether
>> > some
>> > package that happens to be used in an implementation is installed or
>> > not.
>> > This package is installed on Ubuntu by default and may be used by other
>> > applications that have nothing to do with OpenStack at all.
>>
>> Yes, as python-keyring is installed in almost all systems, the
>> behaviour is unchanged.
>>
>> > If we really want to go down this road there should be an environment
>> > variable that can be set to turn off this behavior for applications that
>> > do
>> > not want it.
>>
>> David, good point. I'll revise the patch to not use keyring, if
>> environment variable USE_KEYRING=0. If environment variable is not set
>> or if it is USE_KEYRING=1, then keyring is used to store password.
>
>
> How about OS_USE_KEYRING so it is clearer that the variable is related to
> openstack?
>
>>
>>
>> Doug, agree?
>>
>> --
>> Regards,
>> Bhuvaneswaran A
>> www.livecipher.com
>>
>> ___
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>
>



-- 
Regards,
Bhuvaneswaran A
www.livecipher.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Adam Young]

On 07/30/2012 06:00 PM, Doug Hellmann wrote:



On Mon, Jul 30, 2012 at 5:30 PM, Adam Young > wrote:


On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean
the password is

saved

in cleartext? Is the file protected in some way
besides filesystem
permissions?

As mentioned in wiki page, the password is stored in
base64 format.

Which means it's stored in cleartext.  That is Not Good(tm) :)

Can Keyring be used to store a token instead?  That would A)  be
better than password and B)  avoid a Keystone hit.


Don't tokens expire?



Yes, they do, but that is no reason not to put them in the keyring,

With the PKI tokens,  you will be able to query a token's expiry without 
going across the wire.






Doug



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Matt Joyce]

I thought so until I read that security vulnerability report the other day
=P

On Mon, Jul 30, 2012 at 3:00 PM, Doug Hellmann
wrote:

>
>
> On Mon, Jul 30, 2012 at 5:30 PM, Adam Young  wrote:
>
>> On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:
>>
>>> On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:
>>>
 The wiki mentions the password being saved using
> keyring.backend.**UncryptedFileKeyring. Does that mean the password is
>
 saved

> in cleartext? Is the file protected in some way besides filesystem
> permissions?
>
 As mentioned in wiki page, the password is stored in base64 format.

>>> Which means it's stored in cleartext.  That is Not Good(tm) :)
>>>
>> Can Keyring be used to store a token instead?  That would A)  be better
>> than password and B)  avoid a Keystone hit.
>
>
> Don't tokens expire?
>
> Doug
>
>
> ___
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Doug Hellmann]

On Mon, Jul 30, 2012 at 5:30 PM, Adam Young  wrote:

> On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:
>
>> On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:
>>
>>> The wiki mentions the password being saved using
 keyring.backend.**UncryptedFileKeyring. Does that mean the password is

>>> saved
>>>
 in cleartext? Is the file protected in some way besides filesystem
 permissions?

>>> As mentioned in wiki page, the password is stored in base64 format.
>>>
>> Which means it's stored in cleartext.  That is Not Good(tm) :)
>>
> Can Keyring be used to store a token instead?  That would A)  be better
> than password and B)  avoid a Keystone hit.


Don't tokens expire?

Doug
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Doug Hellmann]

On Mon, Jul 30, 2012 at 4:51 PM, Bhuvaneswaran A  wrote:

> On Mon, Jul 30, 2012 at 7:46 AM, David Kranz 
> wrote:
> > I share Doug's concerns but would state some more strongly. IMO, it is
> > simply unacceptable to modify user-visible behavior based on whether some
> > package that happens to be used in an implementation is installed or not.
> > This package is installed on Ubuntu by default and may be used by other
> > applications that have nothing to do with OpenStack at all.
>
> Yes, as python-keyring is installed in almost all systems, the
> behaviour is unchanged.
>
> > If we really want to go down this road there should be an environment
> > variable that can be set to turn off this behavior for applications that
> do
> > not want it.
>
> David, good point. I'll revise the patch to not use keyring, if
> environment variable USE_KEYRING=0. If environment variable is not set
> or if it is USE_KEYRING=1, then keyring is used to store password.
>

How about OS_USE_KEYRING so it is clearer that the variable is related to
openstack?


>
> Doug, agree?
>
> --
> Regards,
> Bhuvaneswaran A
> www.livecipher.com
>
> ___
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Adam Young]

On 07/30/2012 05:17 PM, Kevin L. Mitchell wrote:

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:

The wiki mentions the password being saved using
keyring.backend.UncryptedFileKeyring. Does that mean the password is

saved

in cleartext? Is the file protected in some way besides filesystem
permissions?

As mentioned in wiki page, the password is stored in base64 format.

Which means it's stored in cleartext.  That is Not Good(tm) :)
Can Keyring be used to store a token instead?  That would A)  be better 
than password and B)  avoid a Keystone hit.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Doug Hellmann]

On Mon, Jul 30, 2012 at 4:50 PM, Bhuvaneswaran A  wrote:

> On Mon, Jul 30, 2012 at 6:31 AM, Doug Hellmann
>  wrote:
>
> > You've already answered several of my questions on the ticket, but I
> still
> > have some "usability" concerns.
> >
> > How does the keyring system support a single person logging in using
> > multiple user accounts? For example, if I have an admin account and a
> > "regular" user, how do I switch between them based on the operations I
> need
> > to perform?
>
> The password is stored in keyring, for a given user. It also support
> multiple users. The password is stored against the user specified in
> command line, --os-username or environment variable OS_USERNAME.
>
> The sample content of the keyring file ~/.openstack-keyring.cfg is as
> follows:
> [openstack]
> bhuvan = dG4wN2FjxA==
> test = xYwN2FjxA==
>

OK, that's good to know.


>
> > Is there a way to disable the behavior of having a password saved to a
> > keyring for a particular user, without uninstalling the python-keyring
> > package (and therefore disabling keyring support for all users)?
>
> The simplest alternative is to specify password using other mechanism,
> in command line or environment variable. It's not possible to prevent
> using keyring, if password is not specified in any of these 2
> mechanisms. The purpose of this patch is, to prevent password prompt.
>

We're going to need to include a way in the openstack cli to disable the
use of the keyring. There will be times when users won't want passwords
saved to a keyring, or where the password that is in the keyring is wrong
or shouldn't be used for some reason. It seems like an environment variable
and a command line switch would cover all of the ways to turn the keyring
off, don't you think?


>
> > The wiki mentions the password being saved using
> > keyring.backend.UncryptedFileKeyring. Does that mean the password is
> saved
> > in cleartext? Is the file protected in some way besides filesystem
> > permissions?
>
> As mentioned in wiki page, the password is stored in base64 format.
>

That doesn't seem any more secure than an environment variable set from a
user's login script. What benefit does keyring give us with this
configuration?


>
> > The mention of one backend implies that there are others. Should we give
> > users a way to choose the backend, in case they have a preference?
>
> python-keyring also support several other backends:
>   1.CryptedFileKeyring
>   2. GnomeKeyring
>   3. KDEKWallet
>   4. OSXKeychain
>   5. Win32CryptoKeyring
>   6. ... and more.
>
> The behaviour of these backends vary for each desktop. For instance,
> GnomeKeyring may prompt for keyring password, once per login session.
> CryptedFileKeyring may prompt for keyring password, every time. It's
> as good as not using keyring.
>

On the other hand, different users will be running in different
configurations. Maybe they *do* have a desktop environment, and want to use
one of those "real" keyring managers, instead of the simple INI file
described above. Does the keyring library have some way to detect which
backends are available at runtime? Or does the application (or user) have
to specify one explicitly?


>
> > How does the use of the keyring affect scripting using the command line
> > tool? Can a script access the keyring, or does it need to use the other
> > options?
>
> Yes. The script could be managed with any python script, using the
> same methods exposed in "keyring" python module.
>   -- get_password() -- to get the password for given user.
>   -- set_password() -- to set the password in keyring.
>

I was not clear. I meant could a shell script running the new cli access
the keyring. It sounds like that is not an issue, based on what you say
below.


>
> > In one review comment you mention a few desktop apps that know how to
> > manipulate the keyring to manage its contents. What about remote access
> via
> > ssh, where a desktop environment is not available? Does the keyring
> library
> > include tools for manipulating the file, or do we need to build our own?
> If
> > so, what tools would be needed?
>
> This was applicable for older patch, wherein we rely on
> desktop/environment specific backend. With older patch, if GNOME
> desktop is used, GnomeKeyring backend is used; if no desktop is used,
> CryptedFileKeyring backend is used. With new patch, irrespective of
> whether desktop is enabled, UncryptedFileKeyring backend is used. With
> this patch, the keyring behaviour is uniform across all systems in
> which we deploy openstack.
>

That resolves my concern, but does not seem to give us any useful features.
We could achieve the same effect using just the environment variable. It
seems like we want to use the "best" keyring method available, if we're
going to use one at all.


>
> In summary, the primary goal of this patch is to reuse the password
> entered in the prompt once, and prevent the user from entering the
> password again. Ultimately, the password

Re: [Openstack] Keyring support in openstack

[Kevin L. Mitchell]

On Mon, 2012-07-30 at 13:50 -0700, Bhuvaneswaran A wrote:
> > The wiki mentions the password being saved using
> > keyring.backend.UncryptedFileKeyring. Does that mean the password is
> saved
> > in cleartext? Is the file protected in some way besides filesystem
> > permissions?
> 
> As mentioned in wiki page, the password is stored in base64 format. 

Which means it's stored in cleartext.  That is Not Good(tm) :)
-- 
Kevin L. Mitchell 


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Matt Joyce]

I like making it optional with a default of off.  At least for now.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Bhuvaneswaran A]

On Mon, Jul 30, 2012 at 7:46 AM, David Kranz  wrote:
> I share Doug's concerns but would state some more strongly. IMO, it is
> simply unacceptable to modify user-visible behavior based on whether some
> package that happens to be used in an implementation is installed or not.
> This package is installed on Ubuntu by default and may be used by other
> applications that have nothing to do with OpenStack at all.

Yes, as python-keyring is installed in almost all systems, the
behaviour is unchanged.

> If we really want to go down this road there should be an environment
> variable that can be set to turn off this behavior for applications that do
> not want it.

David, good point. I'll revise the patch to not use keyring, if
environment variable USE_KEYRING=0. If environment variable is not set
or if it is USE_KEYRING=1, then keyring is used to store password.

Doug, agree?

-- 
Regards,
Bhuvaneswaran A
www.livecipher.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Bhuvaneswaran A]

On Mon, Jul 30, 2012 at 6:31 AM, Doug Hellmann
 wrote:

> You've already answered several of my questions on the ticket, but I still
> have some "usability" concerns.
>
> How does the keyring system support a single person logging in using
> multiple user accounts? For example, if I have an admin account and a
> "regular" user, how do I switch between them based on the operations I need
> to perform?

The password is stored in keyring, for a given user. It also support
multiple users. The password is stored against the user specified in
command line, --os-username or environment variable OS_USERNAME.

The sample content of the keyring file ~/.openstack-keyring.cfg is as follows:
[openstack]
bhuvan = dG4wN2FjxA==
test = xYwN2FjxA==

> Is there a way to disable the behavior of having a password saved to a
> keyring for a particular user, without uninstalling the python-keyring
> package (and therefore disabling keyring support for all users)?

The simplest alternative is to specify password using other mechanism,
in command line or environment variable. It's not possible to prevent
using keyring, if password is not specified in any of these 2
mechanisms. The purpose of this patch is, to prevent password prompt.

> The wiki mentions the password being saved using
> keyring.backend.UncryptedFileKeyring. Does that mean the password is saved
> in cleartext? Is the file protected in some way besides filesystem
> permissions?

As mentioned in wiki page, the password is stored in base64 format.

> The mention of one backend implies that there are others. Should we give
> users a way to choose the backend, in case they have a preference?

python-keyring also support several other backends:
  1.CryptedFileKeyring
  2. GnomeKeyring
  3. KDEKWallet
  4. OSXKeychain
  5. Win32CryptoKeyring
  6. ... and more.

The behaviour of these backends vary for each desktop. For instance,
GnomeKeyring may prompt for keyring password, once per login session.
CryptedFileKeyring may prompt for keyring password, every time. It's
as good as not using keyring.

> How does the use of the keyring affect scripting using the command line
> tool? Can a script access the keyring, or does it need to use the other
> options?

Yes. The script could be managed with any python script, using the
same methods exposed in "keyring" python module.
  -- get_password() -- to get the password for given user.
  -- set_password() -- to set the password in keyring.

> In one review comment you mention a few desktop apps that know how to
> manipulate the keyring to manage its contents. What about remote access via
> ssh, where a desktop environment is not available? Does the keyring library
> include tools for manipulating the file, or do we need to build our own? If
> so, what tools would be needed?

This was applicable for older patch, wherein we rely on
desktop/environment specific backend. With older patch, if GNOME
desktop is used, GnomeKeyring backend is used; if no desktop is used,
CryptedFileKeyring backend is used. With new patch, irrespective of
whether desktop is enabled, UncryptedFileKeyring backend is used. With
this patch, the keyring behaviour is uniform across all systems in
which we deploy openstack.

In summary, the primary goal of this patch is to reuse the password
entered in the prompt once, and prevent the user from entering the
password again. Ultimately, the password is not exposed in environment
or command line (ps). It also facilitate the automated script wherein
the "openstack" client might be used. In such case, the password is
not read from prompt, but from keyring.
-- 
Regards,
Bhuvaneswaran A
www.livecipher.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[David Kranz]

I share Doug's concerns but would state some more strongly. IMO, it is 
simply unacceptable to modify user-visible behavior based on whether 
some package that happens to be used in an implementation is installed 
or not. This package is installed on Ubuntu by default and may be used 
by other applications that have nothing to do with OpenStack at all.


The proposed behavior is biased towards a very simple use case of a 
single user with a password manually invoking commands at the shell. It 
is really up to the administrator of a machine with the client installed 
what the security policy should be. As Doug suggested, this change is a 
very small piece of an overall security architecture which is not well 
spelled out here.


If we really want to go down this road there should be an environment 
variable that can be set to turn off this behavior for applications that 
do not want it.


 -David

On 7/30/2012 9:31 AM, Doug Hellmann wrote:



On Sun, Jul 29, 2012 at 1:37 AM, Bhuvaneswaran A > wrote:


Team,

As per patch https://review.openstack.org/#/c/9497/ we are adding
keyring support for "openstack" client.  If password is not specified
in command line or environment variable, the user is prompted to enter
password. During this time, the password is stored in keyring. During
next time, the password is read from keyring, instead of prompt. It is
true, if password is not specified in command line or environment
variable.

This behavior is documented in this wiki page:
http://wiki.openstack.org/KeyringSupport

If you have any comments, please let us know.


You've already answered several of my questions on the ticket, but I 
still have some "usability" concerns.


How does the keyring system support a single person logging in using 
multiple user accounts? For example, if I have an admin account and a 
"regular" user, how do I switch between them based on the operations I 
need to perform?


Is there a way to disable the behavior of having a password saved to a 
keyring for a particular user, without uninstalling the python-keyring 
package (and therefore disabling keyring support for all users)?


The wiki mentions the password being saved 
using keyring.backend.UncryptedFileKeyring. Does that mean the 
password is saved in cleartext? Is the file protected in some way 
besides filesystem permissions?


The mention of one backend implies that there are others. Should we 
give users a way to choose the backend, in case they have a preference?


How does the use of the keyring affect scripting using the command 
line tool? Can a script access the keyring, or does it need to use the 
other options?


In one review comment you mention a few desktop apps that know how to 
manipulate the keyring to manage its contents. What about remote 
access via ssh, where a desktop environment is not available? Does the 
keyring library include tools for manipulating the file, or do we need 
to build our own? If so, what tools would be needed?


Doug



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keyring support in openstack

[Doug Hellmann]

On Sun, Jul 29, 2012 at 1:37 AM, Bhuvaneswaran A  wrote:

> Team,
>
> As per patch https://review.openstack.org/#/c/9497/ we are adding
> keyring support for "openstack" client.  If password is not specified
> in command line or environment variable, the user is prompted to enter
> password. During this time, the password is stored in keyring. During
> next time, the password is read from keyring, instead of prompt. It is
> true, if password is not specified in command line or environment
> variable.
>
> This behavior is documented in this wiki page:
>   http://wiki.openstack.org/KeyringSupport
>
> If you have any comments, please let us know.
>

You've already answered several of my questions on the ticket, but I still
have some "usability" concerns.

How does the keyring system support a single person logging in using
multiple user accounts? For example, if I have an admin account and a
"regular" user, how do I switch between them based on the operations I need
to perform?

Is there a way to disable the behavior of having a password saved to a
keyring for a particular user, without uninstalling the python-keyring
package (and therefore disabling keyring support for all users)?

The wiki mentions the password being saved
using keyring.backend.UncryptedFileKeyring. Does that mean the password is
saved in cleartext? Is the file protected in some way besides filesystem
permissions?

The mention of one backend implies that there are others. Should we give
users a way to choose the backend, in case they have a preference?

How does the use of the keyring affect scripting using the command line
tool? Can a script access the keyring, or does it need to use the other
options?

In one review comment you mention a few desktop apps that know how to
manipulate the keyring to manage its contents. What about remote access via
ssh, where a desktop environment is not available? Does the keyring library
include tools for manipulating the file, or do we need to build our own? If
so, what tools would be needed?

Doug
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Keyring support in openstack

[Bhuvaneswaran A]

Team,

As per patch https://review.openstack.org/#/c/9497/ we are adding
keyring support for "openstack" client.  If password is not specified
in command line or environment variable, the user is prompted to enter
password. During this time, the password is stored in keyring. During
next time, the password is read from keyring, instead of prompt. It is
true, if password is not specified in command line or environment
variable.

This behavior is documented in this wiki page:
  http://wiki.openstack.org/KeyringSupport

If you have any comments, please let us know.

Thank you,
-- 
Regards,
Bhuvaneswaran A
www.livecipher.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp