doug.hellmann at dreamhost
Jun 25, 2012, 3:28 PM
Post #2 of 5
(100 views)
Permalink
|
On Mon, Jun 25, 2012 at 6:19 PM, Ken Thomas <krt [at] yahoo-inc> wrote:
> Greetings all,
>
> Our security folks have an issue with putting passwords on the command
> line or in the environment. I wrote up a blueprint that gives the details
> on their objections as well as a proposed short-term fix for keystone (
> https://blueprints.launchpad.**net/keystone/+spec/prompt-for-**password<https://blueprints.launchpad.net/keystone/+spec/prompt-for-password>).
> We'd like to see this same change get into UnifiedCLI as a longer term fix.
>
> The change is minor. If no password was found on the command line or in
> the env, just before the "expecting password" error is raised, we make an
> attempt to prompt the user for it. If we get something, great! Our
> security folks are happy and we keep processing. If we don't get the
> password for any number of reasons (keystone wasn't being run from a tty,
> the user hit Ctrl-C or Ctrl-D when prompted), then we raise the error just
> as before.
>
> I've already submitted the keystone changes for review (
> https://review.openstack.org/**#/c/8958/3/keystoneclient/**shell.py<https://review.openstack.org/#/c/8958/3/keystoneclient/shell.py>)
> and I'd be happy to make the same change to UnifiedCLI as well.
>
Thanks, Ken! That sounds like a good change to make. If you add me as a
reviewer on the patch, I'll make sure to look at the changes.
Doug
|
