openstack team mailing list archive

Thread
Date

Re: Keyring support in openstack

To: Bhuvaneswaran A <bhuvan@xxxxxxxxxx>
From: Scott Moser <smoser@xxxxxxxxxx>
Date: Thu, 23 Aug 2012 10:10:50 -0400 (EDT)
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAK0Yc07fxFHzBxZzfbD09M2hv7iVR7cFgcq5cu6hNoVq6mUPmQ@mail.gmail.com>
Sender: Scott Moser <ssmoser2@xxxxxxxxx>
User-agent: Alpine 2.02 (DEB 1266 2009-07-14)

On Sat, 28 Jul 2012, Bhuvaneswaran A wrote:

> Team,
>
> As per patch https://review.openstack.org/#/c/9497/ we are adding
> keyring support for "openstack" client.  If password is not specified
> in command line or environment variable, the user is prompted to enter
> password. During this time, the password is stored in keyring. During
> next time, the password is read from keyring, instead of prompt. It is
> true, if password is not specified in command line or environment
> variable.
>
> This behavior is documented in this wiki page:
>   http://wiki.openstack.org/KeyringSupport

I haven' tried this specifically for the openstack client, but when this
went into nova, it annoyed me, as I started having to give a password on
remote systems every time.  For the devstack instances I was working on, I
honestly couldn't care less about security, and wanted to not be bothered.

For others looking for something similar, here is the 'keyringrc.cfg' file
that you need.  Put it either in ~/ or in the current working directory
(strange).

--- keyringrc.cfg ---
# This is an example keyringrc.cfg file that allows python-keyring
# to use the UncryptedFileKeyring.
# See /usr/share/doc/python-keyring/README.gz for more info.
# Note, this works, but I see the following significant issues with it:
# * python-keyring goes looking for 'keyringrc.cfg' in the current working
#   directory and user's home directory.  Note, specifically it does *not*
#   look for ~/.keyringrc.cfg (which would be more common)
# * no environment variable can affect the path read for ~/keyringrc.cfg
#   this means you're stuck with one of the following options if you
#   wanted to somehow maintain that one app (that you do not care about)
#   use UncryptedFileKeyring while all other apps use a different:
#    * keep 'HOME' environment variable set when that app is used to
#      something other than your home. and maintain $HOME/keyringrc.cfg
#    * keep the current working directory when that app is used to a given
#      working directory.
#   I think it'd be much nicer if I could affect this with
#   'PYTHON_KEYRING_CFG'
#   or if the config file had some apt specific stuff.
# * UncryptedFileKeyring writes its data to a file named keyring_pass.cfg
#   in the home directory, and does not pay attention to 'keyring-path'
# * UncryptedFileKeyring laughably creates keyring_pass.cfg its password
#   file with default umask meaning in most cases it is world readable
#   I've opened bug http://pad.lv/1023433 to track these.
[backend]
default-keyring=keyring.backend.UncryptedFileKeyring
keyring-path=/home/ubuntu/xxx # this is ignored

Follow ups

Re: Keyring support in openstack
From: Bhuvaneswaran A, 2012-08-23
Re: Keyring support in openstack
From: Vishvananda Ishaya, 2012-08-23

References

Keyring support in openstack
From: Bhuvaneswaran A, 2012-07-29