Re: [openstack-dev] [keystone] Upcoming Deadlines

2017-12-12 Thread Lance Bragstad 


On 12/11/2017 07:08 PM, Adam Heczko wrote:
> Thanks Lance for a comprehensive summary.
> However I'm bit puzzled with application credentials spec,
> specifically with the sentence 'This model, while convenient for keystone,
> increases the risk of account compromise by requiring the distribution
> of unencrypted passwords.'
> My personal preference for securing OS cloud credentials is to
> leverage X.509/PKI rather than username and password.
> X.509 authN plugin is available since some time ago [4] and I'd really
> appreciate if Keystone team could explain how app credentials will
> interact with existing (e.g. x.509) authN plugin in federated
> scenario. How role assignment derived from federation mapping (and
> x.509 certificate) is going to interact with application credentials?
> This is important for me since I received a lot of complains about
> clear text passwords and typically my recommendation is to mitigate it
> with said x.509 approach.
As far as the application credentials implementation goes, there will
still be an ID and a secret that needs to be used when authenticating.
So if you have requirements around plaintext passwords in service
configuration files, you might still have that concern with application
credentials since the secret is essentially the password.

We have had a few sessions with oslo [0] about the storage of passwords
in configuration files that might be relevant to you though (if I'm
understanding correctly).

[0]
http://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html

>
> [4] https://review.openstack.org/#/c/283905/16
> [5] 
> https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html
>
> On Mon, Dec 11, 2017 at 11:37 PM, Lance Bragstad  > wrote:
>
> Sending out a gentle reminder that feature proposal freeze will be
> next
> week. It looks like all possible features are in flight based on the
> current state of the specs repository. The only exception is the
> unified
> limit specification, which was rebased and passing today [0].
>
> Thanks!
>
> [0] https://review.openstack.org/#/c/455709/
> 
>
> On 11/20/2017 11:25 AM, Lance Bragstad wrote:
> > Sending out a reminder that we have a couple deadlines approaching.
> >
> > First, *specification* *freeze* is *two weeks away*. Here is a short
> > list of things we've committed to but need the specification to merge:
> >
> > - Unified Limits API [0]
> > - Application Credentials [1]
> > - System Scope [2]
> > - Scope Types [3]
> >
> > These reviews should take priority.
> >
> > Second, *feature* *proposal* *freeze* is *four weeks away*. Remember
> > that this deadline falls earlier than last release due to the holiday
> > season. So far, only application credentials and unified limits are
> > missing proposed implementations. Again, these are just proposals.
> > Feature freeze is January 26th.
> >
> > If you have spare cycles and want to tag-team one of these efforts
> > with an existing owner, please don't hesitate to reach out. Let me
> > know if there is anything I've missed. Thanks!
> >
> >
> > [0] https://review.openstack.org/#/c/455709/
> 
> > [1] https://review.openstack.org/#/c/512505/
> 
> > [2] https://review.openstack.org/#/c/464763/
> 
> > [3] https://review.openstack.org/#/c/500207/
> 
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
>
>
>
>
> -- 
> Adam Heczko
> Security Engineer @ Mirantis Inc.
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] Upcoming Deadlines

2017-12-11 Thread Adam Heczko 
Thanks Lance for a comprehensive summary.
However I'm bit puzzled with application credentials spec, specifically
with the sentence 'This model, while convenient for keystone,
increases the risk of account compromise by requiring the distribution of
unencrypted passwords.'
My personal preference for securing OS cloud credentials is to leverage
X.509/PKI rather than username and password.
X.509 authN plugin is available since some time ago [4] and I'd really
appreciate if Keystone team could explain how app credentials will interact
with existing (e.g. x.509) authN plugin in federated scenario. How role
assignment derived from federation mapping (and x.509 certificate) is going
to interact with application credentials?
This is important for me since I received a lot of complains about clear
text passwords and typically my recommendation is to mitigate it with said
x.509 approach.

[4] https://review.openstack.org/#/c/283905/16
[5]
https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html

On Mon, Dec 11, 2017 at 11:37 PM, Lance Bragstad 
wrote:

> Sending out a gentle reminder that feature proposal freeze will be next
> week. It looks like all possible features are in flight based on the
> current state of the specs repository. The only exception is the unified
> limit specification, which was rebased and passing today [0].
>
> Thanks!
>
> [0] https://review.openstack.org/#/c/455709/
>
> On 11/20/2017 11:25 AM, Lance Bragstad wrote:
> > Sending out a reminder that we have a couple deadlines approaching.
> >
> > First, *specification* *freeze* is *two weeks away*. Here is a short
> > list of things we've committed to but need the specification to merge:
> >
> > - Unified Limits API [0]
> > - Application Credentials [1]
> > - System Scope [2]
> > - Scope Types [3]
> >
> > These reviews should take priority.
> >
> > Second, *feature* *proposal* *freeze* is *four weeks away*. Remember
> > that this deadline falls earlier than last release due to the holiday
> > season. So far, only application credentials and unified limits are
> > missing proposed implementations. Again, these are just proposals.
> > Feature freeze is January 26th.
> >
> > If you have spare cycles and want to tag-team one of these efforts
> > with an existing owner, please don't hesitate to reach out. Let me
> > know if there is anything I've missed. Thanks!
> >
> >
> > [0] https://review.openstack.org/#/c/455709/
> > [1] https://review.openstack.org/#/c/512505/
> > [2] https://review.openstack.org/#/c/464763/
> > [3] https://review.openstack.org/#/c/500207/
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] Upcoming Deadlines

2017-12-11 Thread Lance Bragstad 
Sending out a gentle reminder that feature proposal freeze will be next
week. It looks like all possible features are in flight based on the
current state of the specs repository. The only exception is the unified
limit specification, which was rebased and passing today [0].

Thanks!

[0] https://review.openstack.org/#/c/455709/

On 11/20/2017 11:25 AM, Lance Bragstad wrote:
> Sending out a reminder that we have a couple deadlines approaching.
>
> First, *specification* *freeze* is *two weeks away*. Here is a short
> list of things we've committed to but need the specification to merge:
>
> - Unified Limits API [0]
> - Application Credentials [1]
> - System Scope [2]
> - Scope Types [3]
>
> These reviews should take priority.
>
> Second, *feature* *proposal* *freeze* is *four weeks away*. Remember
> that this deadline falls earlier than last release due to the holiday
> season. So far, only application credentials and unified limits are
> missing proposed implementations. Again, these are just proposals.
> Feature freeze is January 26th.
>
> If you have spare cycles and want to tag-team one of these efforts
> with an existing owner, please don't hesitate to reach out. Let me
> know if there is anything I've missed. Thanks!
>
>
> [0] https://review.openstack.org/#/c/455709/
> [1] https://review.openstack.org/#/c/512505/
> [2] https://review.openstack.org/#/c/464763/
> [3] https://review.openstack.org/#/c/500207/ 


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [keystone] Upcoming Deadlines

2017-11-20 Thread Lance Bragstad 
Sending out a reminder that we have a couple deadlines approaching.

First, *specification* *freeze* is *two weeks away*. Here is a short
list of things we've committed to but need the specification to merge:

- Unified Limits API [0]
- Application Credentials [1]
- System Scope [2]
- Scope Types [3]

These reviews should take priority.

Second, *feature* *proposal* *freeze* is *four weeks away*. Remember
that this deadline falls earlier than last release due to the holiday
season. So far, only application credentials and unified limits are
missing proposed implementations. Again, these are just proposals.
Feature freeze is January 26th.

If you have spare cycles and want to tag-team one of these efforts with
an existing owner, please don't hesitate to reach out. Let me know if
there is anything I've missed. Thanks!


[0] https://review.openstack.org/#/c/455709/
[1] https://review.openstack.org/#/c/512505/
[2] https://review.openstack.org/#/c/464763/
[3] https://review.openstack.org/#/c/500207/


signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev