openstack team mailing list archive

[Doug Hellmann <doug.hellmann@xxxxxxxxxxxxx>]

On Mon, Jun 25, 2012 at 6:19 PM, Ken Thomas <krt@xxxxxxxxxxxxx> wrote:

> Greetings all,
>
> Our security folks have an issue with putting passwords on the command
> line or in the environment. I wrote up a blueprint that gives the details
> on their objections as well as a proposed short-term fix for keystone (
> https://blueprints.launchpad.**net/keystone/+spec/prompt-for-**password<https://blueprints.launchpad.net/keystone/+spec/prompt-for-password>).
> We'd like to see this same change get into UnifiedCLI as a longer term fix.
>
> The change is minor.  If no password was found on the command line or in
> the env, just before the "expecting password" error is raised, we make an
> attempt to prompt the user for it.  If we get something, great! Our
> security folks are happy and we keep processing.  If we don't get the
> password for any number of reasons (keystone wasn't being run from a tty,
> the user hit Ctrl-C or Ctrl-D when prompted), then we raise the error just
> as before.
>
> I've already submitted the keystone changes for review (
> https://review.openstack.org/**#/c/8958/3/keystoneclient/**shell.py<https://review.openstack.org/#/c/8958/3/keystoneclient/shell.py>)
> and I'd be happy to make the same change to UnifiedCLI as well.
>

Thanks, Ken! That sounds like a good change to make. If you add me as a
reviewer on the patch, I'll make sure to look at the changes.

Doug