On 02/13/2014 05:28 AM, Nick Maslov wrote: > Hi Gustavo, > > Can you pls describe, how exactly are you using salt with your config files? i'm using salt to populate my config files, like i could use puppet/cheff/whatever
> > I`m a bit frustrated with plaintext passwords in them as well. i'm not, a 0600 will make it private and it makes easier to troubleshot > > Cheers, > NM > > > -- > Nick Maslov > Sent with Airmail > > On February 11, 2014 at 8:30:15 PM, gustavo panizzo ([email protected] > <mailto://[email protected]>) wrote: > >> On 02/11/2014 03:14 PM, Fischer, Matt wrote: >>> Sorry to follow-up my own question, but for anyone else who has >>> backed Keystone with LDAP, did you store the service accounts (nova, >>> glance, etc) in LDAP as well? >> yes, i do >>> If so, how did you handle password management (the plaintext >>> passwords in the config files)? >> same as sql based account, i put the password in clear text on the >> config files >> i use salt to manage my config files, if that what you ask >> >>> >>> From: <Fischer>, Matt <[email protected] >>> <mailto:[email protected]>> >>> Date: Tuesday, February 11, 2014 9:45 AM >>> To: Adam Young <[email protected] <mailto:[email protected]>>, >>> "[email protected] >>> <mailto:[email protected]>" >>> <[email protected] >>> <mailto:[email protected]>> >>> Subject: Re: [Openstack-operators] Keystone backed by LDAP: What's >>> still stored locally? >>> >>> >>> Thanks Adam, I think we're willing to live without domain support. So >>> if Policy is the policy.json file (which seems obvious to me now) >>> then we should be good with no replication. >>> >>> From: Adam Young <[email protected] <mailto:[email protected]>> >>> Date: Monday, February 10, 2014 6:53 PM >>> To: "[email protected] >>> <mailto:[email protected]>" >>> <[email protected] >>> <mailto:[email protected]>> >>> Subject: Re: [Openstack-operators] Keystone backed by LDAP: What's >>> still stored locally? >>> >>> On 02/10/2014 03:27 PM, Fischer, Matt wrote: >>>> >>>> If we use LDAP to provide Assignment and Identity for Keystone, what >>>> things is keystone still managing locally? The reason I'm asking is >>>> that we're setting up Openstack in a couple data centers and would >>>> like to centrally manage users/tenants/roles without replicating >>>> keystone databases (if that's possible). It looks like Tokens, >>>> Catalogs, and Policy are the remaining services. I don't think we'd >>>> ever want to replicate Tokens, and the data in Catalogs might differ >>>> across DCs anyway, but "Policy" is what I'm not sure about. Is >>>> Policy the same as Assignment? >>> No, policy is the flat file that has the rules for RBAC. >>> >>> Assignment is what you want to replicate: the assignment of roles to >>> users and groups within projects or domains. >>> >>>> >>>> Finally, has anyone else set this up and if so do you have any >>>> caveats/must-dos? I think I have all the connection to LDAP stuff >>>> figured out but have not tried with multiple keystone instances. >>> LDAP can support assignment, but you lose multiple domain support. >>> It might be your simplest replication strategy, though. >>> >>> >>> >>>> >>>> ------------------------------------------------------------------------ >>>> This E-mail and any of its attachments may contain Time Warner Cable >>>> proprietary information, which is privileged, confidential, or >>>> subject to copyright belonging to Time Warner Cable. This E-mail is >>>> intended solely for the use of the individual or entity to which it >>>> is addressed. If you are not the intended recipient of this E-mail, >>>> you are hereby notified that any dissemination, distribution, >>>> copying, or action taken in relation to the contents of and >>>> attachments to this E-mail is strictly prohibited and may be >>>> unlawful. If you have received this E-mail in error, please notify >>>> the sender immediately and permanently delete the original and any >>>> copy of this E-mail and any printout. >>>> >>>> >>>> _______________________________________________ >>>> OpenStack-operators mailing list >>>> [email protected]http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>> >>> >>> >>> _______________________________________________ >>> OpenStack-operators mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> >> >> -- >> 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 >> _______________________________________________ >> OpenStack-operators mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -- 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
