[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Ade Lee alee at redhat.com
Mon Jan 16 21:02:23 UTC 2017


Seems to me that there are two different audiences here.

Developers want something that is easy to set up and develop against.
For that, the simple crypto plugin is provided, and it requires
essentially no setup.

In case Barbican is not available, developers should be coding against
castellan.

Deployers want something relatively simple and secure.  This could be
an HSM, or it could be Dogtag (which can be configured to store secrets
in either an HSM or in a software based HSM).

There seems to be a misconception that Dogtag is hard to deploy.  That
may have been the case in the past, but there have been great strides
that have been made to make Dogtag deployment easier.  We now have
puppet scripts etc.

In Barcelona, for example, we held a couple of workshops where Barbican
was deployed by over a hundred people using Dogtag.  The installation
scripts (which took about 10 minutes to run) can be found here:  
https://github.com/cloudkeep/barbican-workshop

And yes, Dogtag is not a simple python app. But it has been
successfully deployed behind thousands of FreeIPA installations in HA
and non-HA modes, with minimal maintenance.

This is not to say that something like a Vault back-end should not be
developed.  It absolutely should.  But we should note that any real
secure back-end is going to require some investment of time/
understanding on the deployer's side for maintenance or for setting up
HA.  And Dogtag is not as bad as it is sometimes made out to be.


Its not without its warts though, and I'll be happy to work with anyone
who has trouble with it.
 
Ade

On Mon, 2017-01-16 at 10:50 -0800, Ian Cordasco wrote:
> -----Original Message-----
> From: Chris Friesen <chris.friesen at windriver.com>
> Reply: OpenStack Development Mailing List (not for usage questions)
> <openstack-dev at lists.openstack.org>
> Date: January 16, 2017 at 11:26:41
> To: openstack-dev at lists.openstack.org <openstack-dev at lists.openstack.
> org>
> Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are
> projects trying to avoid Barbican, still?
> 
> > 
> > On 01/16/2017 10:31 AM, Rob C wrote:
> > 
> > > 
> > > I think the main point has already been hit on, developers don't
> > > want to
> > > require that Barbican be deployed in order for their service to
> > > be
> > > used.
> > 
> > I think that this is a perfectly reasonable stance for developers
> > to take. As
> > long as Barbican is an optional component, then making your service
> > depend on it
> > has a good chance of limiting your potential install base.
> > 
> > Given that, it seems like the ideal model from a security
> > perspective would be
> > to use Barbican if it's available at runtime, otherwise use
> > something else...but
> > that has development and maintenance costs.
> 
> More seriously it requires developers who aren't familiar with
> securely storing that kind of data re-implement exactly what Barbican
> has done, potentially.
> 
> Being realistic, and not to discount anyone's willingness to try, but
> I think the largest group of people qualified to build, review, and
> maintain that kind of software would be the Barbican team.
> 
> I guess the question then becomes: How many operators would be
> willing
> to deploy Barbican versus having to update each service as
> vulnerabilities are found, disclosed, and fixed in their clouds. If
> Barbican is as difficult to deploy as Rob is suggesting (that even
> DogTag is difficult to deploy) maybe developers should be focusing on
> fixing that instead of haphazardly reimplementing Barbican?
> 
> --
> Ian Cordasco
> 
> _____________________________________________________________________
> _____
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubs
> cribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list