The switch credentials are currently stored in plain text format in ml2 plugin configuration file. From network administrator point of view providing switch credentials to cloud operator is risky. The credentials can be stored encrypted and secured somewhere else. Possible options on where to put credentials that need investigation are: 1) Store the switch credentials a file encrypted by Ansible Vault. networking-ansible can load the file just like other vars file. We would still need to store password for Ansible Vault somewhere. 2) Store the credentials to Barbican.
Please note that we also need support for SSH keys. Is that included in this RFE, or do we need a separate BZ?
Good thought, I think we should address ssh keys in a separate RFE. I think that the storage of passwords vs password-less authentication are slightly different implementations. I'll create a new set of RFE records across our tracking tools to make sure that ssh key auth gets added.
It has been concluded that this RFE does not currently have a solution to be implemented. Proposed solutions just move the problem a layer deeper behind code we would be writing. Release flag is being dropped. The demand for this feature needs to be reassessed along with research into what a customer would actually be please with using.
Will document using low privilege specific access user.
Confirmed, we have instruction to create a user with specific permissions in our docs.