Prompt for passwords
We have some operational issues with using the keystone in that the initial password used to get the token needs to be on the command line or in an environment variable. Our security people aren't happy that a 'ps' command might expose one of them, and peeking in a user's directory for a .bashrc or .bash_history (or similar) could expose the other.
I propose a change to keystoneclient/
If there is no password in the env or on the command line, and we're running from a tty, then use getpass to prompt the user for a password.
This would have no impact on existing usage of the keystone client and make our security people much happier.
Blueprint information
- Status:
- Complete
- Approver:
- Joseph Heck
- Priority:
- Medium
- Drafter:
- Ken Thomas
- Direction:
- Approved
- Assignee:
- Ken Thomas
- Definition:
- Approved
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Joseph Heck
- Completed by
- Ken Thomas
Related branches
Related bugs
Sprints
Whiteboard
I've been look into the getpass docs (http://
Update: I did some experiments and it doesn't look like getpass handles the non-tty case very well. I propose then that we use this snippet of code to prompt for a password if (a) we don't have one and (b) stdin is a tty.
if not args.os_password and hasattr(sys.stdin, 'isatty') and sys.stdin.isatty():
args.
Note that the existing errors about "expecting a password" are still valid. They'll still be issued if there wasn't a password specified and stdin wasn't a tty. In that situation they are still expected.
One more update: It looks like nova client and glance client should have this same additional functionality added to be consistent. Can this blueprint cover those changes as well?