Ask Your Question

Users use plain text to request the token, is this even secure?

asked 2014-02-03 20:55:40 -0500

limin-marcus gravatar image

Hi all,

I'm quite new to keystone and this question might be too simple or stupid. But I've done a lot of google but haven't gotten satisfied answers.

When users use the restful apis to perform some actions, e.g., create a vm, they first need to get the token_id. The way the user can get it is via username/password: curl http://x.x.x.x:35357/v2.0/tokens \ -X POST -H "Content-Type: application/json" \ -d '{"auth": {"tenantName": "mytenant", "passwordCredentials": {"username": "myuser", "password": "mypassword"}}}'

And we need the response['access']['token']['id'] for the following vm creating requests with the header 'X-Auth-Token: token_id' to do the authentication.

But in the token request, the username/password is actually plaintext. How is this even secure when passing around in the network?

And what's the difference between the port 35357 and 5000?

Am I missing some thing here? Can you guys provide some info? Thank you very much!

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-02-06 16:24:12 -0500

limin-marcus gravatar image

Thanks Haneef Ali, that solved my question.

edit flag offensive delete link more

answered 2014-02-05 22:06:49 -0500

haneef gravatar image

1) Yes it is not secure. That's why you are supposed to use https endpoint in real production.

2) In keystone v2, one is called admin port and other is service port. More operations are exposed via admin port. Only token is exposed via service port. Via admin you can do token, user creation etc

BTW you are better off looking at V3 api as V2 will be deprecated soon

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-02-03 20:55:40 -0500

Seen: 129 times

Last updated: Feb 06 '14