<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Oh I was literally just thinking about the 'credential' type key
value items we store in the Keystone DB. Rather than storing them
in the Keystone db and worrying about encryption (and encryption
keys) in Keystone around what is otherwise a plaintext secret,
just offload that to a service specific for handling those (which
Keystone isn't).<br>
<br>
My only really worry then is if tying MFA credential values to an
external service is a great idea as now Keystone and Barbican have
to be alive for auth to occur (plus auth could be marginally
slower). Although by using an external service security could
potentially be enhanced and deployers don't need to worry about
credential encryption key rotation (and re-encryption of
credentials) in Keystone.<br>
</p>
<p>As for fernet keys in Barbican... that that does sound like a
fairly terrifying chicken and egg problem. Although Castellan with
a Vault plugin sounds doable (not tied back to Keystone's own
auth), and could actually be useful for multi-host keystone
deployments since Vault now handles your Key
replication/distribution provided Keystone rotates keys into it.<br>
</p>
<div class="moz-cite-prefix">On 31/08/18 1:50 AM, Lance Bragstad
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAE6oFcFGv+sxxYPN6i59f5F7H5E6SbSO_ags8-OEK=M92H7_1w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">This topic has surfaced intermittently ever since
keystone implemented fernet tokens in Kilo. An initial idea was
written down shortly afterwords [0], then we targeted it to
Ocata [1], and removed from the backlog around the Pike
timeframe [2]. The commit message of [2] includes meeting links.
The discussion usually tripped attempting to abstract enough of
the details about rotation and setup of keys to work in all
cases.
<div><br>
</div>
<div>[0] <a href="https://review.openstack.org/#/c/311268/"
moz-do-not-send="true">https://review.openstack.org/#/c/311268/</a></div>
<div>[1] <a href="https://review.openstack.org/#/c/363065/"
moz-do-not-send="true">https://review.openstack.org/#/c/363065/</a></div>
<div>[2] <a href="https://review.openstack.org/#/c/439194/"
moz-do-not-send="true">https://review.openstack.org/#/c/439194/</a><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Aug 30, 2018 at 5:02 AM Juan Antonio
Osorio Robles <<a href="mailto:jaosorior@redhat.com"
moz-do-not-send="true">jaosorior@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>FWIW, instead of barbican, castellan could be used as
a key manager.<br>
</p>
<br>
<div class="gmail-m_244733796970506849moz-cite-prefix">On
08/30/2018 12:23 PM, Adrian Turjak wrote:<br>
</div>
<blockquote type="cite">
<div class="gmail-m_244733796970506849moz-text-html"
lang="x-unicode">
<p><br>
</p>
<div
class="gmail-m_244733796970506849moz-cite-prefix">On
30/08/18 6:29 AM, Lance Bragstad wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="white" lang="EN-US">
<div
class="gmail-m_244733796970506849m_329163095983434052WordSection1">
<p class="MsoNormal"><span
style="font-size:11pt">Is that what
is being described here ? <a
href="https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html"
target="_blank"
moz-do-not-send="true">
https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html</a></span></p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>This is a separate mechanism for storing
secrets, not necessarily passwords (although
I agree the term credentials automatically
makes people assume passwords). This is used
if consuming keystone's native MFA
implementation. For example, storing a
shared secret between the user and keystone
that is provided as a additional
authentication method along with a username
and password combination.</div>
<div> </div>
</div>
</div>
</blockquote>
<p>Is there any interest or plans to potentially
allow Keystone's credential store to use Barbican
as a storage provider? Encryption already is
better than nothing, but if you already have (or
will be deploying) a proper secret store with a
hardware backend (or at least hardware stored
encryption keys) then it might make sense to throw
that in Barbican.<br>
<br>
Or is this also too much of a chicken/egg problem?
How safe is it to rely on Barbican availability
for MFA secrets and auth?<br>
</p>
</div>
<br>
<fieldset
class="gmail-m_244733796970506849mimeAttachmentHeader"></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="gmail-m_244733796970506849moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank" moz-do-not-send="true">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="gmail-m_244733796970506849moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank" moz-do-not-send="true">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank" moz-do-not-send="true">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
</body>
</html>