settingsLogin | Registersettings

[openstack-dev] [keystone][middleware]: Use encrypted password in the service conf file

0 votes

Hi,

We have our API server(based on pyramid) integrated with keystone for
AuthN/AuthZ.
So our service has a *.conf file which has [keystone_authtoken] section
that defines all the stuff needed for registering to keystone.

WSGI pipeline will first get filtered with keystone auth token and then get
into our application functionality.

Now as part of hardening, we want to save an encrypted password(admin
password) in the conf file.
Where should I put the decryption logic so it gets passed to the middleware
in the needed format?

Appreciate your help!

Thanks,
Kanthi


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Oct 11, 2017 in openstack-dev by pn_kk (640 points)   1 1 1

2 Responses

0 votes

This sounds like something that was discussed during the PTG. The oslo
team was exploring ways to implement this, which would be consumable to
keystonemiddleware as a library [0].

[0] https://etherpad.openstack.org/p/oslo-ptg-queens

On 10/11/2017 07:43 AM, pnkk wrote:
Hi,

We have our API server(based on pyramid) integrated with keystone for
AuthN/AuthZ.
So our service has a *.conf file which has [keystone_authtoken]
section that defines all the stuff needed for registering to keystone.

WSGI pipeline will first get filtered with keystone auth token and
then get into our application functionality.

Now as part of hardening, we want to save an encrypted password(admin
password) in the conf file.
Where should I put the decryption logic so it gets passed to the
middleware in the needed format?

Appreciate your help!

Thanks,
Kanthi


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

responded Oct 11, 2017 by Lance_Bragstad (11,080 points)   2 3 6
0 votes

Thanks, will look forward for https://review.openstack.org/#/c/454897/

Regards,
Kanthi Pavuluri

On Wed, Oct 11, 2017 at 7:46 PM, Lance Bragstad lbragstad@gmail.com wrote:

This sounds like something that was discussed during the PTG. The oslo
team was exploring ways to implement this, which would be consumable to
keystonemiddleware as a library [0].

[0] https://etherpad.openstack.org/p/oslo-ptg-queens

On 10/11/2017 07:43 AM, pnkk wrote:

Hi,

We have our API server(based on pyramid) integrated with keystone for
AuthN/AuthZ.
So our service has a *.conf file which has [keystone_authtoken] section
that defines all the stuff needed for registering to keystone.

WSGI pipeline will first get filtered with keystone auth token and then
get into our application functionality.

Now as part of hardening, we want to save an encrypted password(admin
password) in the conf file.
Where should I put the decryption logic so it gets passed to the
middleware in the needed format?

Appreciate your help!

Thanks,
Kanthi


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Oct 12, 2017 by pn_kk (640 points)   1 1 1
...