Open Stack

I vote for #3. ;)

But seriously, please do help review it so we make sure everyone's use cases are handled ok.

Thanks,
Kevin
________________________________
From: 王华 [wanghua.humble at gmail.com]
Sent: Thursday, August 13, 2015 6:25 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [magnum]password for registry v2

Hi hongbin,
I have comments in line.

Thank you.

Regards,
Wanghua

On Fri, Aug 14, 2015 at 6:20 AM, Hongbin Lu <hongbin.lu at huawei.com<mailto:hongbin.lu at huawei.com>> wrote:
Hi Wanghua,

For the question about how to pass user password to bay nodes, there are several options here:

1.       Directly inject the password to bay nodes via cloud-init. This might be the simplest solution. I am not sure if it is OK in security aspect.

2.       Inject a scoped Keystone trust to bay nodes and use it to fetch user password from Barbican (suggested by Adrian).

If we use trust, who we should let user trust?  If we let user trust magnum, then the credential of magnum will occur in vm. I think it is insecure.

3.       Leverage the solution proposed by Kevin Fox [1]. This might be a long-term solution.

For the security concerns about storing credential in a config file, I need clarification. What is the config file? Is it a dokcer registry v2 config file? I guess the credential stored there will be used to talk to swift. Is that correct? In general, it is
The credential stored in docker registry v2 config file is used to talk to swift.

insecure to store user credential inside a VM, because anyone can take a snapshot of the VM and boot another VM from the snapshot. Maybe storing a scoped credential in the config file could mitigate the security risk. Not sure if there is a better solution.

[1] https://review.openstack.org/#/c/186617/

Best regards,
Hongbin

From: 王华 [mailto:wanghua.humble at gmail.com<mailto:wanghua.humble at gmail.com>]
Sent: August-13-15 4:06 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: [openstack-dev] [magnum]password for registry v2

Hi all,

In order to add registry v2 to bay nodes[1], authentication information is needed for the registry to upload and download files from swift. The swift storage-driver in registry now needs the parameters as described in [2]. User password is needed. How can we get the password?

1. Let user pass password in baymodel-create.
2. Use user token to get password from keystone

Is it suitable to store user password in db?

It may be insecure to store password in db and expose it to user in a config file even if the password is encrypted. Heat store user password in db before, and now change to keystone trust[3]. But if we use keystone trust, the swift storage-driver does not support it. If we use trust, we expose magnum user's credential in a config file, which is also insecure.

Is there a secure way to implement this bp?

[1] https://blueprints.launchpad.net/magnum/+spec/registryv2-in-master
[2] https://github.com/docker/distribution/blob/master/docs/storage-drivers/swift.md
[3] https://wiki.openstack.org/wiki/Keystone/Trusts

Regards,
Wanghua

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150814/84478e7e/attachment.html>