openstack-api-site

bad security practices in getting started

Bug #1718296 reported by Matt Verran
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-api-site
Triaged
Medium
Unassigned

Bug Description

This bug tracker is for errors with the documentation, use the following as a template and remove or add fields as you see fit. Convert [ ] into [x] to check boxes:

- [ ] This doc is inaccurate in this way: ______
- [ ] This is a doc addition request.
- [x] I have a fix to the document that I can paste below including example: input and output.

If you have a troubleshooting or support issue, use the following resources:

 - Ask OpenStack: http://ask.openstack.org
 - The mailing list: http://lists.openstack.org
 - IRC: 'openstack' channel on Freenode

-----------------------------------
Release: 0.1 on 2017-09-14 19:40
SHA: 8fa4937999220a9b493fd12dd488d9516a6e708f
Source: https://git.openstack.org/cgit/openstack/api-site/tree/doc/source/getting_started.rst
URL: https://developer.openstack.org/firstapp-libcloud/getting_started.html

In the spirit of contributing something while my other bug around the getting started project is considered its been a bugbear of mine to see a new tutorial advocating hardcoding the credentials into code (which may then be checked into a public repo on github/bitbucket etc).

Instead of...

# step-1
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver

auth_username = 'your_auth_username'
auth_password = 'your_auth_password'
auth_url = 'http://controller:5000'
project_name = 'your_project_name_or_id'
region_name = 'your_region_name'

provider = get_driver(Provider.OPENSTACK)
conn = provider(auth_username,
                auth_password,
                ex_force_auth_url=auth_url,
                ex_force_auth_version='2.0_password',
                ex_tenant_name=project_name,
                ex_force_service_region=region_name)

How about suggesting

# step-1
import os
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver

def get_env_var(name):
    if name in os.environ:
        return os.environ[name]
    else:
        prompt_text = "{0} was not set, maybe you haven't set your Openstack credentials?\nEnter a value for {0}: ".format(name)
        temp = raw_input(prompt_text)
        return temp

auth_username = get_env_var("OS_USERNAME")
auth_password = get_env_var("OS_PASSWORD")
auth_url = get_env_var("OS_AUTH_URL")
auth_url = auth_url.rsplit("/",1)[0]
project_name = get_env_var("OS_PROJECT_NAME")
region_name = get_env_var("OS_REGION_NAME")

provider = get_driver(Provider.OPENSTACK)
conn = provider(auth_username,
                auth_password,
                ex_force_auth_url=auth_url,
                ex_force_auth_version='2.0_password',
                ex_tenant_name=project_name,
                ex_force_service_region=region_name)

I'm not great at python so maybe a more pythonesque solution is possible but this certainly worked well enough for me and would encourage more secure default behaviour.

Tags: firstapp
Anne Gentle (annegentle)
Changed in openstack-api-site:
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.