openstack team mailing list archive

Thread
Date

Re: Keyring support in openstack

To: Doug Hellmann <doug.hellmann@xxxxxxxxxxxxx>
From: Bhuvaneswaran A <bhuvan@xxxxxxxxxx>
Date: Mon, 30 Jul 2012 22:03:35 -0700
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CADb+p3R8fMYd7-Umh_G1sWEqo3f4CZGh1OHO5W34qRc5_eNb+g@mail.gmail.com>

Doug and Team,
I tweaked the patch to incorporate the review comments. I've included
an abstract class for keyring, specific to openstack
"openstackkeyring". The class is used to store encrypted password in
keyring, without prompting for keyring password. The password is
encrypted using AES algorithm.  It is similar to
keyring.backend.CryptedFileKeyring, except it'll not prompt for
keyring password.

As David and Matt suggested, with the new patch, the keyring is used
only if OS_USE_KEYRING environment variable is set. If OS_USE_KEYRING
is not set, the default behavior to prompt for password is preserved.

The openstackkeyring library will be added in openstack.common, to use
it for other projects. Once the current patch goes in, we'll extend
same keyring to store tokens as well.

In case you got questions, please let me know.

On Mon, Jul 30, 2012 at 2:30 PM, Doug Hellmann
<doug.hellmann@xxxxxxxxxxxxx> wrote:
>
>
> On Mon, Jul 30, 2012 at 4:51 PM, Bhuvaneswaran A <bhuvan@xxxxxxxxxx> wrote:
>>
>> On Mon, Jul 30, 2012 at 7:46 AM, David Kranz <david.kranz@xxxxxxxxxx>
>> wrote:
>> > I share Doug's concerns but would state some more strongly. IMO, it is
>> > simply unacceptable to modify user-visible behavior based on whether
>> > some
>> > package that happens to be used in an implementation is installed or
>> > not.
>> > This package is installed on Ubuntu by default and may be used by other
>> > applications that have nothing to do with OpenStack at all.
>>
>> Yes, as python-keyring is installed in almost all systems, the
>> behaviour is unchanged.
>>
>> > If we really want to go down this road there should be an environment
>> > variable that can be set to turn off this behavior for applications that
>> > do
>> > not want it.
>>
>> David, good point. I'll revise the patch to not use keyring, if
>> environment variable USE_KEYRING=0. If environment variable is not set
>> or if it is USE_KEYRING=1, then keyring is used to store password.
>
>
> How about OS_USE_KEYRING so it is clearer that the variable is related to
> openstack?
>
>>
>>
>> Doug, agree?
>>
>> --
>> Regards,
>> Bhuvaneswaran A
>> www.livecipher.com
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>
>

-- 
Regards,
Bhuvaneswaran A
www.livecipher.com

References

Keyring support in openstack
From: Bhuvaneswaran A, 2012-07-29
Re: Keyring support in openstack
From: Doug Hellmann, 2012-07-30
Re: Keyring support in openstack
From: David Kranz, 2012-07-30
Re: Keyring support in openstack
From: Bhuvaneswaran A, 2012-07-30
Re: Keyring support in openstack
From: Doug Hellmann, 2012-07-30