[Openstack-operators] [Openstack] Service token and credential security
alawson at aqorn.com
Sat Apr 5 00:02:49 UTC 2014
Hey OpenStack peeps!
Most of the .conf files within OpenStack contain credentials and/or token
ID's that allow services to talk to each other. And interestingly, I have
not found a way to obfuscate this data from system admins who do not need
the keys to the entire kingdom.
Is there a best practice I'm unaware of that addresses where credentials
are stored and who can access them? Most system admins have root or sudo
access to /etc/program/program.conf and having access to credentials that
give them that level of power seems like either a bug or an oversight (or
evidence I'm a bigger dumbass than I thought).
Can the credentials used by services such as Swift, Keystone, etc be
protected? How are folks currently protecting their installations while
allowing low-level admins to do their work? Does OpenStack support ESSO or
at least the option to encrypt these files somehow? Seems like an audit
issue to me.
427 North Tatnall Street
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators