[openstack-dev] [OpenStack-Infra] [infra][security] Encryption in Zuul v3
James E. Blair
corvus at inaugust.com
Wed Mar 22 15:02:05 UTC 2017
Ian Cordasco <sigmavirus24 at gmail.com> writes:
> On Tue, Mar 21, 2017 at 6:10 PM, James E. Blair <corvus at inaugust.com> wrote:
>> We did talk about some other options, though unfortunately it doesn't
>> look like a lot of that made it into the spec reviews. Among them, it's
>> probably worth noting that there's nothing preventing a Zuul deployment
>> from relying on some third-party secret system -- if you can use it with
>> Ansible, you should be able to use it with Zuul. But we also want Zuul
>> to have these features out of the box, and, wearing our sysadmin hits,
>> we're really keen on having source control and code review for the
>> system secrets for the OpenStack project.
>> Vault alone doesn't meet our requirements here because it relies on
>> symmetric encryption, which means we need users to share a key with
>> Zuul, implying an extra service with out-of-band authn/authz. However,
>> we *could* use our PKCS#1 style system to share a vault key with Zuul.
>> I don't think that has come up as a suggestion yet, but seems like it
>> would work.
> I suppose Barbican doesn't meet those requirements either, then, yes?
Right -- we don't want to require another service or tie Zuul to an
authn/authz system for a fundamental feature. However, I do think we
can look at making integration with Barbican and similar systems an
option for folks who have such an installation and prefer to use it.
More information about the OpenStack-dev