d446e15285
Add the keystone-manage bootstrap command so that admin_token can be deprecated/removed in the future. This will allow for bootstrapping an initial user into the cloud instead of needing a global-admin token to perform initial actions. Change-Id: I113c6934b6b83ceff23a94101967a6df1126873f bp: bootstrap
16 lines
645 B
YAML
16 lines
645 B
YAML
---
|
|
features:
|
|
- keystone-manage now supports the bootstrap command
|
|
on the CLI so that a keystone install can be
|
|
initialized without the need of the admin_token
|
|
filter in the paste-ini.
|
|
security:
|
|
- The use of admin_token filter is insecure compared
|
|
to the use of a proper username/password. Historically
|
|
the admin_token filter has been left enabled in
|
|
Keystone after initialization due to the way CMS
|
|
systems work. Moving to an out-of-band initialization
|
|
will eliminate the security concerns around a static
|
|
shared string that conveys admin access to Keystone
|
|
and therefore to the entire installation.
|