Python client library for Keystone

Prompt for passwords

Registered by Ken Thomas on 2012-06-21

We have some operational issues with using the keystone in that the initial password used to get the token needs to be on the command line or in an environment variable. Our security people aren't happy that a 'ps' command might expose one of them, and peeking in a user's directory for a .bashrc or .bash_history (or similar) could expose the other.

I propose a change to keystoneclient/shell.py where it's checking for the password being present.

If there is no password in the env or on the command line, and we're running from a tty, then use getpass to prompt the user for a password.

This would have no impact on existing usage of the keystone client and make our security people much happier.

Blueprint information

Status:
Complete
Approver:
Joseph Heck
Priority:
Medium
Drafter:
Ken Thomas
Direction:
Approved
Assignee:
Ken Thomas
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Joseph Heck on 2012-06-25
Completed by
Ken Thomas on 2012-11-06

Related branches

Sprints

Whiteboard

I've been look into the getpass docs (http://docs.python.org/library/getpass.html) and I think we can let it worry about being on a tty. I don't know if it'll handle I18N issues, or do we figure that the default "Password:" is good enough?

Update: I did some experiments and it doesn't look like getpass handles the non-tty case very well. I propose then that we use this snippet of code to prompt for a password if (a) we don't have one and (b) stdin is a tty.

if not args.os_password and hasattr(sys.stdin, 'isatty') and sys.stdin.isatty():
    args.os_password = getpass()

Note that the existing errors about "expecting a password" are still valid. They'll still be issued if there wasn't a password specified and stdin wasn't a tty. In that situation they are still expected.

One more update: It looks like nova client and glance client should have this same additional functionality added to be consistent. Can this blueprint cover those changes as well?

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.