[Openstack-operators] Security around enterprise credentials and OpenStack API

2015-03-31 Thread Mathieu Gagné
Hi, Lets say I wish to use an existing enterprise LDAP service to manage my OpenStack users so I only have one place to manage users. How would you manage authentication and credentials from a security point of view? Do you tell your users to use their enterprise credentials or do you use an othe

Re: [Openstack-operators] Security around enterprise credentials and OpenStack API

2015-03-31 Thread Matt Fischer
Mathieu, We LDAP (AD) with a fallback to MySQL. This allows us to store service accounts (like nova) and "team accounts" for use in Jenkins/scripts etc in MySQL. We only do Identity via LDAP and we have a forked copy of this driver (https://github.com/SUSE-Cloud/keystone-hybrid-backend) to do this

Re: [Openstack-operators] Security around enterprise credentials and OpenStack API

2015-03-31 Thread Marc Heckmann
Hi all, I was going to post a similar question this evening, so I decided to just bounce on Mathieu’s question. See below inline. > On Mar 31, 2015, at 8:35 PM, Matt Fischer wrote: > > Mathieu, > > We LDAP (AD) with a fallback to MySQL. This allows us to store service > accounts (like nova)

Re: [Openstack-operators] Security around enterprise credentials and OpenStack API

2015-03-31 Thread Daniel Comnea
+ developers mailing list, hopefully a developer might be able to chime in. On Wed, Apr 1, 2015 at 3:58 AM, Marc Heckmann wrote: > Hi all, > > I was going to post a similar question this evening, so I decided to just > bounce on Mathieu’s question. See below inline. > > > On Mar 31, 2015, at 8

Re: [Openstack-operators] Security around enterprise credentials and OpenStack API

2015-04-01 Thread Adam Young
On 03/31/2015 10:58 PM, Marc Heckmann wrote: Hi all, I was going to post a similar question this evening, so I decided to just bounce on Mathieu’s question. See below inline. On Mar 31, 2015, at 8:35 PM, Matt Fischer wrote: Mathieu, We LDAP (AD) with a fallback to MySQL. This allows us to

Re: [Openstack-operators] Security around enterprise credentials and OpenStack API

2015-08-29 Thread Marc Heckmann
Sorry for the repost, it seems this mail was in the outbox of another machine that I hadn't turned on in a while. Please ignore. > On Aug 29, 2015, at 11:56, Marc Heckmann wrote: > > Hi all, > > I was going to post a similar question this evening, so I decided to just > bounce on Mathieu’s

Re: [Openstack-operators] Security around enterprise credentials and OpenStack API

2015-08-29 Thread Kris G. Lindgren
We create "service accounts" in AD, for teams to use inside scripts or within services. We have an home built solution to prevent credentials from being stored in clear text on the server and allow for password rotation of the service accounts without service interruption. On 8/29/15, 9:49

Re: [Openstack-operators] Security around enterprise credentials and OpenStack API

2015-08-31 Thread Adam Young
On 03/31/2015 08:06 PM, Mathieu Gagné wrote: Hi, Lets say I wish to use an existing enterprise LDAP service to manage my OpenStack users so I only have one place to manage users. How would you manage authentication and credentials from a security point of view? Do you tell your users to use the