openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #16084
Re: Keyring support in openstack
On Sat, 28 Jul 2012, Bhuvaneswaran A wrote:
> Team,
>
> As per patch https://review.openstack.org/#/c/9497/ we are adding
> keyring support for "openstack" client. If password is not specified
> in command line or environment variable, the user is prompted to enter
> password. During this time, the password is stored in keyring. During
> next time, the password is read from keyring, instead of prompt. It is
> true, if password is not specified in command line or environment
> variable.
>
> This behavior is documented in this wiki page:
> http://wiki.openstack.org/KeyringSupport
I haven' tried this specifically for the openstack client, but when this
went into nova, it annoyed me, as I started having to give a password on
remote systems every time. For the devstack instances I was working on, I
honestly couldn't care less about security, and wanted to not be bothered.
For others looking for something similar, here is the 'keyringrc.cfg' file
that you need. Put it either in ~/ or in the current working directory
(strange).
--- keyringrc.cfg ---
# This is an example keyringrc.cfg file that allows python-keyring
# to use the UncryptedFileKeyring.
# See /usr/share/doc/python-keyring/README.gz for more info.
# Note, this works, but I see the following significant issues with it:
# * python-keyring goes looking for 'keyringrc.cfg' in the current working
# directory and user's home directory. Note, specifically it does *not*
# look for ~/.keyringrc.cfg (which would be more common)
# * no environment variable can affect the path read for ~/keyringrc.cfg
# this means you're stuck with one of the following options if you
# wanted to somehow maintain that one app (that you do not care about)
# use UncryptedFileKeyring while all other apps use a different:
# * keep 'HOME' environment variable set when that app is used to
# something other than your home. and maintain $HOME/keyringrc.cfg
# * keep the current working directory when that app is used to a given
# working directory.
# I think it'd be much nicer if I could affect this with
# 'PYTHON_KEYRING_CFG'
# or if the config file had some apt specific stuff.
# * UncryptedFileKeyring writes its data to a file named keyring_pass.cfg
# in the home directory, and does not pay attention to 'keyring-path'
# * UncryptedFileKeyring laughably creates keyring_pass.cfg its password
# file with default umask meaning in most cases it is world readable
# I've opened bug http://pad.lv/1023433 to track these.
[backend]
default-keyring=keyring.backend.UncryptedFileKeyring
keyring-path=/home/ubuntu/xxx # this is ignored
Follow ups
References