Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-24 Thread Petr Blaho
On Fri, Feb 21, 2014 at 10:24:24AM +0100, Tomas Sedovic wrote: On 20/02/14 16:24, Imre Farkas wrote: On 02/20/2014 03:57 PM, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in the

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-24 Thread Ladislav Smola
On 02/23/2014 01:16 AM, Clint Byrum wrote: Excerpts from Imre Farkas's message of 2014-02-20 15:24:17 +: On 02/20/2014 03:57 PM, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-24 Thread Dougal Matthews
On 21/02/14 10:03, Radomir Dopieralski wrote: On 21/02/14 10:38, Dougal Matthews wrote: At the moment we are guessing, we don't even know how many passwords we need to store. So we should progress with the safest and simplest option (which is to not store them) and consider changing this later.

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-24 Thread Imre Farkas
On 02/24/2014 09:39 AM, Ladislav Smola wrote: On 02/23/2014 01:16 AM, Clint Byrum wrote: Excerpts from Imre Farkas's message of 2014-02-20 15:24:17 +: On 02/20/2014 03:57 PM, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-22 Thread Clint Byrum
Excerpts from Imre Farkas's message of 2014-02-20 15:24:17 +: On 02/20/2014 03:57 PM, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in the first place? All this encryption

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-21 Thread Tomas Sedovic
On 20/02/14 16:24, Imre Farkas wrote: On 02/20/2014 03:57 PM, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in the first place? All this encryption talk seems very premature to me.

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-21 Thread Dougal Matthews
On 21/02/14 09:24, Tomas Sedovic wrote: On 20/02/14 16:24, Imre Farkas wrote: On 02/20/2014 03:57 PM, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in the first place? All this

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-21 Thread Radomir Dopieralski
On 21/02/14 10:38, Dougal Matthews wrote: On 21/02/14 09:24, Tomas Sedovic wrote: On 20/02/14 16:24, Imre Farkas wrote: On 02/20/2014 03:57 PM, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Radomir Dopieralski
On 19/02/14 18:29, Dougal Matthews wrote: The question for me, is what passwords will we have and when do we need them? Are any of the passwords required long term. We will need whatever the Heat template needs to generate all the configuration files. That includes passwords for all services

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Imre Farkas
On 02/19/2014 06:10 PM, Ladislav Smola wrote: Hello, I would like to have your opinion about how to deal with passwords in Tuskar-API The background is, that tuskarAPI is storing heat template parameters in its database, it's a preparation for more complex workflows, when we will need to store

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Imre Farkas
On 02/20/2014 10:12 AM, Radomir Dopieralski wrote: On 19/02/14 18:29, Dougal Matthews wrote: The question for me, is what passwords will we have and when do we need them? Are any of the passwords required long term. We will need whatever the Heat template needs to generate all the

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Dougal Matthews
On 20/02/14 09:12, Radomir Dopieralski wrote: If we do need to store passwords it becomes a somewhat thorny issue, how does Tuskar know what a password is? If this is flagged up by the UI/client then we are relying on the user to tell us which isn't wise. All the template parameters that are

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Radomir Dopieralski
On 20/02/14 11:21, Dougal Matthews wrote: If we do store passwords however, I wonder if we are best to encrypt everything to be safe. The overhead shouldn't be that big and it may be better than special casing the NoEcho values. I think that before we start encrypting everything, we need to

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Dougal Matthews
On 20/02/14 10:36, Radomir Dopieralski wrote: On 20/02/14 11:21, Dougal Matthews wrote: If we do store passwords however, I wonder if we are best to encrypt everything to be safe. The overhead shouldn't be that big and it may be better than special casing the NoEcho values. I think that

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Radomir Dopieralski
On 20/02/14 11:46, Dougal Matthews wrote: On 20/02/14 10:36, Radomir Dopieralski wrote: On 20/02/14 11:21, Dougal Matthews wrote: If we do store passwords however, I wonder if we are best to encrypt everything to be safe. The overhead shouldn't be that big and it may be better than special

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Radomir Dopieralski
On 20/02/14 12:02, Radomir Dopieralski wrote: On 20/02/14 11:46, Dougal Matthews wrote: On 20/02/14 10:36, Radomir Dopieralski wrote: On 20/02/14 11:21, Dougal Matthews wrote: If we do store passwords however, I wonder if we are best to encrypt everything to be safe. The overhead shouldn't be

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Jiří Stránský
On 20.2.2014 12:18, Radomir Dopieralski wrote: On 20/02/14 12:02, Radomir Dopieralski wrote: Anybody who gets access to Tuskar-API gets the passwords, whether we encrypt them or not. Anybody who doesn't have access to Tuskar-API doesn't get the passwords, whether we encrypt them or not. Yeah,

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Tomas Sedovic
On 20/02/14 10:12, Radomir Dopieralski wrote: On 19/02/14 18:29, Dougal Matthews wrote: The question for me, is what passwords will we have and when do we need them? Are any of the passwords required long term. We will need whatever the Heat template needs to generate all the configuration

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Tomas Sedovic
On 20/02/14 14:10, Jiří Stránský wrote: On 20.2.2014 12:18, Radomir Dopieralski wrote: On 20/02/14 12:02, Radomir Dopieralski wrote: Anybody who gets access to Tuskar-API gets the passwords, whether we encrypt them or not. Anybody who doesn't have access to Tuskar-API doesn't get the

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Radomir Dopieralski
On 20/02/14 14:10, Jiří Stránský wrote: On 20.2.2014 12:18, Radomir Dopieralski wrote: Thinking about it some more, all the uses of the passwords come as a result of an action initiated by the user either by tuskar-ui, or by the tuskar command-line client. So maybe we could put the key in

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Jay Dobies
Just to throw this out there, is this something we need for Icehouse? Yes, I fully acknowledge that it's an ugly security hole. But what's our story for how stable/clean Tuskar will be for Icehouse? I don't believe the intention is for people to use this in a production environment yet, so it

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Tomas Sedovic
On 20/02/14 14:47, Radomir Dopieralski wrote: On 20/02/14 14:10, Jiří Stránský wrote: On 20.2.2014 12:18, Radomir Dopieralski wrote: Thinking about it some more, all the uses of the passwords come as a result of an action initiated by the user either by tuskar-ui, or by the tuskar

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Radomir Dopieralski
On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in the first place? All this encryption talk seems very premature to me. How are you going to redeploy without them? -- Radomir Dopieralski ___ OpenStack-dev

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Tomas Sedovic
On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in the first place? All this encryption talk seems very premature to me. How are you going to redeploy without them? What do you mean by redeploy? 1.

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Radomir Dopieralski
On 20/02/14 15:57, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in the first place? All this encryption talk seems very premature to me. How are you going to redeploy without them?

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-20 Thread Tomas Sedovic
On 20/02/14 16:02, Radomir Dopieralski wrote: On 20/02/14 15:57, Tomas Sedovic wrote: On 20/02/14 15:41, Radomir Dopieralski wrote: On 20/02/14 15:00, Tomas Sedovic wrote: Are we even sure we need to store the passwords in the first place? All this encryption talk seems very premature to me.

[openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-19 Thread Ladislav Smola
Hello, I would like to have your opinion about how to deal with passwords in Tuskar-API The background is, that tuskarAPI is storing heat template parameters in its database, it's a preparation for more complex workflows, when we will need to store the data before the actual heat

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-19 Thread Dougal Matthews
On 19/02/14 17:10, Ladislav Smola wrote: Hello, I would like to have your opinion about how to deal with passwords in Tuskar-API The background is, that tuskarAPI is storing heat template parameters in its database, it's a preparation for more complex workflows, when we will need to store the

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-19 Thread Jason Rist
On Wed 19 Feb 2014 10:29:32 AM MST, Dougal Matthews wrote: On 19/02/14 17:10, Ladislav Smola wrote: Hello, I would like to have your opinion about how to deal with passwords in Tuskar-API The background is, that tuskarAPI is storing heat template parameters in its database, it's a

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-19 Thread Dougal Matthews
On 19/02/14 18:29, Jason Rist wrote: Would it be possible to create some token for use throughout? Forgive my naivete. I don't think so, the token would need to be understood by all the services that we store passwords for. I may be misunderstanding however. Dougal

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-19 Thread Hugh O. Brock
On Wed, Feb 19, 2014 at 06:31:47PM +, Dougal Matthews wrote: On 19/02/14 18:29, Jason Rist wrote: Would it be possible to create some token for use throughout? Forgive my naivete. I don't think so, the token would need to be understood by all the services that we store passwords for. I

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-19 Thread Dougal Matthews
On 19/02/14 18:49, Hugh O. Brock wrote: On Wed, Feb 19, 2014 at 06:31:47PM +, Dougal Matthews wrote: On 19/02/14 18:29, Jason Rist wrote: Would it be possible to create some token for use throughout? Forgive my naivete. I don't think so, the token would need to be understood by all the

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-19 Thread Ladislav Smola
On 02/19/2014 08:05 PM, Dougal Matthews wrote: On 19/02/14 18:49, Hugh O. Brock wrote: On Wed, Feb 19, 2014 at 06:31:47PM +, Dougal Matthews wrote: On 19/02/14 18:29, Jason Rist wrote: Would it be possible to create some token for use throughout? Forgive my naivete. I don't think so,

Re: [openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

2014-02-19 Thread Ladislav Smola
On 02/19/2014 06:29 PM, Dougal Matthews wrote: On 19/02/14 17:10, Ladislav Smola wrote: Hello, I would like to have your opinion about how to deal with passwords in Tuskar-API The background is, that tuskarAPI is storing heat template parameters in its database, it's a preparation for more