Hey, So, this is not something that Barbican can directly help with, given that it needs keystone for authentication. So, if you want to protect the keystone user/password; you get into a chicken and egg problem then. That being said, there is work being done to address this issue. Moises Guimaraes has been working to enable oslo.config to read the configuration values via drivers; and one of those drivers is castellan (which allows you to use something like Vault to store secrets). I'm sure he'll be able to provide you more details if needed. The next step is to integrate this work to the deployment engines. Best regards On 3/1/19 6:13 PM, Tom Barron wrote:
In manila -- and so far as I can tell, other projects -- service user and back end (storage devices, security service) credentials appear plaintext in configuration files and in database tables. These are not accessible to ordinary OpenStack users but some cloud deployers nonetheless have concerns about this exposure and have asked us to tighten things up.
So I want to check for best practices from other projects. I doubt this is a manila-specific concern -- e.g. is barbican already being used today by some projects to protect information of this sort?
Thanks,
-- Tom Barron