[openstack-dev] [magnum]password for registry v2

Hongbin Lu hongbin.lu at huawei.com
Thu Aug 13 22:20:56 UTC 2015


Hi Wanghua,

For the question about how to pass user password to bay nodes, there are several options here:

1.       Directly inject the password to bay nodes via cloud-init. This might be the simplest solution. I am not sure if it is OK in security aspect.

2.       Inject a scoped Keystone trust to bay nodes and use it to fetch user password from Barbican (suggested by Adrian).

3.       Leverage the solution proposed by Kevin Fox [1]. This might be a long-term solution.

For the security concerns about storing credential in a config file, I need clarification. What is the config file? Is it a dokcer registry v2 config file? I guess the credential stored there will be used to talk to swift. Is that correct? In general, it is insecure to store user credential inside a VM, because anyone can take a snapshot of the VM and boot another VM from the snapshot. Maybe storing a scoped credential in the config file could mitigate the security risk. Not sure if there is a better solution.

[1] https://review.openstack.org/#/c/186617/

Best regards,
Hongbin

From: 王华 [mailto:wanghua.humble at gmail.com]
Sent: August-13-15 4:06 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: [openstack-dev] [magnum]password for registry v2

Hi all,

In order to add registry v2 to bay nodes[1], authentication information is needed for the registry to upload and download files from swift. The swift storage-driver in registry now needs the parameters as described in [2]. User password is needed. How can we get the password?

1. Let user pass password in baymodel-create.
2. Use user token to get password from keystone

Is it suitable to store user password in db?

It may be insecure to store password in db and expose it to user in a config file even if the password is encrypted. Heat store user password in db before, and now change to keystone trust[3]. But if we use keystone trust, the swift storage-driver does not support it. If we use trust, we expose magnum user's credential in a config file, which is also insecure.

Is there a secure way to implement this bp?

[1] https://blueprints.launchpad.net/magnum/+spec/registryv2-in-master
[2] https://github.com/docker/distribution/blob/master/docs/storage-drivers/swift.md
[3] https://wiki.openstack.org/wiki/Keystone/Trusts

Regards,
Wanghua
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150813/fb0101e5/attachment.html>


More information about the OpenStack-dev mailing list