diff options
Diffstat (limited to 'keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml')
-rw-r--r-- | keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml new file mode 100644 index 00000000..997ee64a --- /dev/null +++ b/keystone-moon/releasenotes/notes/add-bootstrap-cli-192500228cc6e574.yaml @@ -0,0 +1,17 @@ +--- +features: + - > + [`blueprint bootstrap <https://blueprints.launchpad.net/keystone/+spec/bootstrap>`_] + keystone-manage now supports the bootstrap command + on the CLI so that a keystone install can be + initialized without the need of the admin_token + filter in the paste-ini. +security: + - The use of admin_token filter is insecure compared + to the use of a proper username/password. Historically + the admin_token filter has been left enabled in + Keystone after initialization due to the way CMS + systems work. Moving to an out-of-band initialization using + ``keystone-manage bootstrap`` will eliminate the security concerns around + a static shared string that conveys admin access to keystone + and therefore to the entire installation. |