[openstack-dev] [barbican] default devstack barbican secret store ? and big picture question ?
Ade Lee
alee at redhat.com
Mon Jul 2 12:07:22 UTC 2018
On Mon, 2018-06-18 at 17:23 +0000, Waines, Greg wrote:
> Hey ... a couple of NEWBY question for the Barbican Team.
>
> I just setup a devstack with Barbican @ stable/queens .
>
> Ran through the “Verify operation” commands (
> https://docs.openstack.org/barbican/latest/install/verify.html ) ...
> Everything worked.
> stack at barbican:~/devstack$ openstack secret list
>
> stack at barbican:~/devstack$ openstack secret store --name mysecret --
> payload j4=]d21
> +---------------+--------------------------------------------------
> ------------------------------+
> | Field | Value
> |
> +---------------+--------------------------------------------------
> ------------------------------+
> | Secret href | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-
> e417-45a8-ae49-187f8d8c98d1 |
> | Name | mysecret
> |
> | Created | None
> |
> | Status | None
> |
> | Content types | None
> |
> | Algorithm | aes
> |
> | Bit length | 256
> |
> | Secret type | opaque
> |
> | Mode | cbc
> |
> | Expiration | None
> |
> +---------------+--------------------------------------------------
> ------------------------------+
> stack at barbican:~/devstack$
> stack at barbican:~/devstack$
> stack at barbican:~/devstack$ openstack secret list
> +------------------------------------------------------------------
> --------------+----------+---------------------------+--------+----
> -------------------------+-----------+------------+-------------+--
> ----+------------+
> | Secret href
> | Name | Created | Status | Content
> types | Algorithm | Bit length | Secret type | Mode |
> Expiration |
> +------------------------------------------------------------------
> --------------+----------+---------------------------+--------+----
> -------------------------+-----------+------------+-------------+--
> ----+------------+
> | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-
> 187f8d8c98d1 | mysecret | 2018-06-18T14:47:45+00:00 | ACTIVE |
> {u'default': u'text/plain'} | aes | 256 | opaque |
> cbc | None |
> +------------------------------------------------------------------
> --------------+----------+---------------------------+--------+----
> -------------------------+-----------+------------+-------------+--
> ----+------------+
> stack at barbican:~/devstack$ openstack secret get
> http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-
> 187f8d8c98d1
> +---------------+--------------------------------------------------
> ------------------------------+
> | Field | Value
> |
> +---------------+--------------------------------------------------
> ------------------------------+
> | Secret href | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-
> e417-45a8-ae49-187f8d8c98d1 |
> | Name | mysecret
> |
> | Created | 2018-06-18T14:47:45+00:00
> |
> | Status | ACTIVE
> |
> | Content types | {u'default': u'text/plain'}
> |
> | Algorithm | aes
> |
> | Bit length | 256
> |
> | Secret type | opaque
> |
> | Mode | cbc
> |
> | Expiration | None
> |
> +---------------+--------------------------------------------------
> ------------------------------+
> stack at barbican:~/devstack$ openstack secret get
> http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-
> 187f8d8c98d1 --payload
> +---------+---------+
> | Field | Value |
> +---------+---------+
> | Payload | j4=]d21 |
> +---------+---------+
> stack at barbican:~/devstack$
>
>
> QUESTIONS:
> · In this basic devstack setup, what is being used as the
> secret store ?
In the basic devstack setup, we use the default secret store plugin
which is the SimpleCrypto plugin.
This encrypts the secrets using a symmetric key, and stores the results
in the barbican sql database.
The default encryption key can be seen in https://github.com/openstack/
barbican/blob/master/barbican/plugin/crypto/simple_crypto.py#L37
> o E.g. /etc/barbican/barbican.conf for devstack is simply
> stack at barbican:~/devstack$ more /etc/barbican/barbican.conf
>
> [DEFAULT]
> transport_url = rabbit://stackrabbit:admin@10.10.10.17:5672
> db_auto_create = False
> sql_connection =
> mysql+pymysql://root:admin@127.0.0.1/barbican?charset=utf8
> logging_exception_prefix = %(color)s%(asctime)s.%(msecs)03d TRACE
> %(name)s %(instance)s
> logging_debug_format_suffix = from (pid=%(process)d) %(funcName)s
> %(pathname)s:%(lineno)d
> logging_default_format_string = %(asctime)s.%(msecs)03d
> %(color)s%(levelname)s %(name)s [-%(color)s]
> %(instance)s%(color)s%(message)s
> logging_context_format_string = %(asctime)s.%(msecs)03d
> %(color)s%(levelname)s %(name)s [%(request_id)s %(project_name)s
> %(user_name)s%(color)s] %(instance)s%(color)s%(message)s
> use_stderr = True
> log_file = /opt/stack/logs/barbican.log
> host_href = http://10.10.10.17/key-manager
> debug = True
>
> [keystone_authtoken]
> memcached_servers = localhost:11211
> signing_dir = /var/cache/barbican
> cafile = /opt/stack/data/ca-bundle.pem
> project_domain_name = Default
> project_name = service
> user_domain_name = Default
> password = admin
> username = barbican
> auth_url = http://10.10.10.17/identity
> auth_type = password
>
> [keystone_notifications]
> enable = True
> stack at barbican:~/devstack$
>
>
> What is the basic strategy here wrt Barbican providing secure secret
> storage ?
> e.g.
> Secrets are stored encrypted in some secret store ?
> Again, for default devstack, what is that secret store ? (assuming
> it is NOT the DB being used for general openstack services’ tables)
> i.e. assuming it is separate DB or file or directory of files
See response above. In the basic devstack case, the secrets are
encrypted by the encryption key (kek) and stored in the barbican sql
database.
Barbican has a number of gates where we configure different secret
stores (including KMIP, Dogtag and Vault). Depending on the secret
store,
the KEK and secret may be stored in different places.
> What key is used for encryption ? ...
>
> The UUID of the Barbican ‘secret’ object in the Barbican openstack DB
> Table is the ‘external reference’ for the secret ?
> ? and this ‘secret’ object has the internal reference for the secret
> in the secret store ?
>
>
Each secret stored in barbican has an entry in the barbican DB secrets
table. This is the UUID in the "external reference".
For the SimpleCryptoPlugin, the secret payload is also stored encrypted
in the DB (in a separate table).
For different secret store plugins esp. the KMIP, Dogtag or Vault
plugins, where the secret payload in stored in a separate system,
the secret store entry will store the 'internal' secret reference to
allow Barbican to retrieve the secret from Dogtag/Vault/ KMIP device.
> ADMIN privileges are required to access the Barbican ‘secret’ objects
> ?
>
In the basic devstack case using SimpleCrypto, the secrets are stored
encrypted in the DB. The DB is supposed to be accessed only
through the Barbican API, which enforces oslo.policy according to
policy.json file. Typically, that means being able to access a secret
if you are a user within the same project.
> For dev
>
>
> Soooo ... the secrets are stored in encrypted format and can only be
> referenced / retrieved in plain text with ADMIN privileges
> Is this the basis of the strategy ?
>
No, secrets are stored encrypted ans can be obtained unencrypted
through the Barbican REST API with the right keystone permissions.
>
> Thanks in advance,
> Greg.
>
>
>
>
>
>
>
> _____________________________________________________________________
> _____
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubs
> cribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180702/11cf310b/attachment.html>
More information about the OpenStack-dev
mailing list