[openstack-dev] [tc][appcat] The future of the App Catalog
Clint Byrum
clint at fewbar.com
Sun Mar 12 17:30:49 UTC 2017
Excerpts from Fox, Kevin M's message of 2017-03-12 16:54:20 +0000:
> I totally agree that policy management is a major problem too. A much bigger one then instance users, and something I was hoping to get to after instance users, but never made it past the easier of the two. :/
>
>
> The just inject creds solution keeps getting proposed, but only looks at the surface of the issue so has a lot of issues under the hood. Lets dig in again.
>
> Lets say I create a heat template and inject creds through Parameters, as that is the natural place for a user to fill out settings and launch their application.
>
> The cred is loaded unencrypted into the heat database. Then heat-engine pushes it into the nova database where it resides unencrypted, so it can be sent to cloud init, usually also in an unencrypted form.
>
> You delete the heat stack, and the credential still sticks around in the nova database long after the vm is deleted, as it keeps deleted data.
>
> The channels for passing stuff to a vm are much better at passing config to the vm, not secrets.
>
> Its also a one shot way to get an initial cred to a vm, but not a way to update it should the need arise. Also, how is the secret maintained in a way that rebooting the vm works while snapshotting the vm doesn't capture the secret, etc.
>
> The use case/issues are described exhaustively in the spec and describe why its not something thats something that can easily be tackled by "just do X" solutions. I proposed one implementation I think will work generally and cover all bases. But am open to other implementations that cover all the bases. Many half solutions have been proposed, but the whole point is security, so a half solution that has big security holes in it isn't really a solution.
>
_OR_, you inject a nonce that is used to authenticate the instance to
config management. If you're ever going to talk to anything outside of
the cloud APIs, you'll need this anyway.
Once you're involved with config management you are already sending
credentials of various types to your instances.
More information about the OpenStack-dev
mailing list