summaryrefslogtreecommitdiffstats
path: root/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml')
-rw-r--r--keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml17
1 files changed, 17 insertions, 0 deletions
diff --git a/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml
new file mode 100644
index 00000000..997ee64a
--- /dev/null
+++ b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml
@@ -0,0 +1,17 @@
+---
+features:
+ - >
+ [`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_]
+ keystone-manage now supports the bootstrap command
+ on the CLI so that a keystone install can be
+ initialized without the need of the admin_token
+ filter in the paste-ini.
+security:
+ - The use of admin_token filter is insecure compared
+ to the use of a proper username/password. Historically
+ the admin_token filter has been left enabled in
+ Keystone after initialization due to the way CMS
+ systems work. Moving to an out-of-band initialization using
+ ``keystone-manage bootstrap`` will eliminate the security concerns around
+ a static shared string that conveys admin access to keystone
+ and therefore to the entire installation.