Revision history [back]

click to hide/show revision 1
initial version

Users use plain text to request the token, is this even secure?

Hi all,

I'm quite new to keystone and this question might be too simple or stupid. But I've done a lot of google but haven't gotten satisfied answers.

When users use the restful apis to perform some actions, e.g., create a vm, they first need to get the token_id. The way the user can get it is via username/password: curl http://x.x.x.x:35357/v2.0/tokens \ -X POST -H "Content-Type: application/json" \ -d '{"auth": {"tenantName": "mytenant", "passwordCredentials": {"username": "myuser", "password": "mypassword"}}}'

And we need the response['access']['token']['id'] for the following vm creating requests with the header 'X-Auth-Token: token_id' to do the authentication.

But in the token request, the username/password is actually plaintext. How is this even secure when passing around in the network?

And what's the difference between the port 35357 and 5000?

Am I missing some thing here? Can you guys provide some info? Thank you very much!