Re: [openstack-dev] [keystone][nova] Persistent application credentials

tober 09, 2017 9:39 AM > To: openstack-dev@lists.openstack.org > Subject: Re: [openstack-dev] [keystone][nova] Persistent application > credentials > > On 12/09/17 18:58, Colleen Murphy wrote: > > While it's fresh in our minds, I wanted to write up a short recap of > > wh

Re: [openstack-dev] [keystone][nova] Persistent application credentials

nstack-dev] [keystone][nova] Persistent application credentials On 12/09/17 18:58, Colleen Murphy wrote: > While it's fresh in our minds, I wanted to write up a short recap of > where we landed in the Application Credentials discussion in the BM/VM > room today. For convenience the (as of

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On Mon, Oct 9, 2017 at 6:39 PM, Zane Bitter wrote: > On 12/09/17 18:58, Colleen Murphy wrote: > >> While it's fresh in our minds, I wanted to write up a short recap of >> where we landed in the Application Credentials discussion in the BM/VM room >> today. For convenience the

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 12/09/17 18:58, Colleen Murphy wrote: While it's fresh in our minds, I wanted to write up a short recap of where we landed in the Application Credentials discussion in the BM/VM room today. For convenience the (as of yet unrevised) spec is here: Thanks so much for staying on this Colleen,

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On Thu, Jul 20, 2017 at 8:02 PM, Zane Bitter wrote: > > * If Keystone supported either a public-key or a Kerberos-style > authentication mechanism to get a token Keystone (via support for accepting authentication from the web server hosting it) can be configured to accept

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 19/07/17 23:19, Monty Taylor wrote: Instance users do not solve this. Instance users can be built with this- but instance users are themselves not sufficient. Instance users are only sufficient in single-cloud ecosystems where it is possible to grant permissions on all the resources in

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 19/07/17 22:27, Monty Taylor wrote: I propose we set aside time at the PTG to dig in to this. Between Zane and I and the Keystone core team I have confidence we can find a way out. This may be a bad time to mention that regrettably I won't be attending the PTG, due to (happy!) family

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 07/19/2017 09:27 PM, Monty Taylor wrote: > On 07/19/2017 12:18 AM, Zane Bitter wrote: >> On 18/07/17 10:55, Lance Bragstad wrote: Would Keystone folks be happy to allow persistent credentials once we have a way to hand out only the minimum required privileges?

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 07/19/2017 10:00 PM, Adrian Turjak wrote: > The problem is then entirely procedural within a team. Do they rotate > all keys when one person leaves? Anything less is the same problem. All > we can do is make rotation less of a pain, but it will still be painful > no matter what, and depending

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 07/19/2017 12:11 AM, Zane Bitter wrote: On 17/07/17 23:12, Lance Bragstad wrote: Would Keystone folks be happy to allow persistent credentials once we have a way to hand out only the minimum required privileges? If I'm understanding correctly, this would make application

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 07/19/2017 12:18 AM, Zane Bitter wrote: On 18/07/17 10:55, Lance Bragstad wrote: Would Keystone folks be happy to allow persistent credentials once we have a way to hand out only the minimum required privileges? If I'm understanding correctly, this would make application

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 18/07/17 10:55, Lance Bragstad wrote: Would Keystone folks be happy to allow persistent credentials once we have a way to hand out only the minimum required privileges? If I'm understanding correctly, this would make application credentials dependent on several cycles of policy

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 17/07/17 23:12, Lance Bragstad wrote: Would Keystone folks be happy to allow persistent credentials once we have a way to hand out only the minimum required privileges? If I'm understanding correctly, this would make application credentials dependent on several cycles of policy

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On 07/17/2017 10:12 PM, Lance Bragstad wrote: > > > On Mon, Jul 17, 2017 at 6:39 PM, Zane Bitter > wrote: > > So the application credentials spec has merged - huge thanks to > Monty and the Keystone team for getting this done: > >

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On Tue, Jul 18, 2017 at 1:39 AM, Zane Bitter wrote: > So the application credentials spec has merged - huge thanks to Monty and > the Keystone team for getting this done: > > https://review.openstack.org/#/c/450415/ > http://specs.openstack.org/openstack/keystone-specs/specs/

Re: [openstack-dev] [keystone][nova] Persistent application credentials

On Mon, Jul 17, 2017 at 6:39 PM, Zane Bitter wrote: > So the application credentials spec has merged - huge thanks to Monty and > the Keystone team for getting this done: > > https://review.openstack.org/#/c/450415/ > http://specs.openstack.org/openstack/keystone-specs/specs/

[openstack-dev] [keystone][nova] Persistent application credentials

So the application credentials spec has merged - huge thanks to Monty and the Keystone team for getting this done: https://review.openstack.org/#/c/450415/ http://specs.openstack.org/openstack/keystone-specs/specs/keystone/pike/application-credentials.html However, it appears that there was a