[openstack-dev] [oslo.config][castellan][tripleo][ptg]Protecting plain text secrets in configuration files

Raildo Mascena de Sousa Filho rmascena at redhat.com
Fri Feb 2 17:34:12 UTC 2018


Hello folks,

Various regulations and best practices say that passwords and other secret
values should not be stored in plain text in configuration files. There are
“secret store” services to manage values that should be kept secure.
Castellan provides an abstraction API for accessing those services. [1]
In this manner, several different management services can be supported
through a single interface. Then, we will be able to use a Castellan
reference for those secrets and store it using a proper key store backend,
currently Castellan supports Barbican and Vault as a backend, so for this
case, we should use a more light solution, such as Custodia[2], which work
as Secrets-as-a-Service API, working as a lightweight solution compared
with Barbican, besides that, Custodia have some good features like
overlayed encryption backend that can be used to store that secret.

Currently, We have that olso.config interface for pluggable drivers in
progress[3] also the Custodia backend support for Castellan.[4] We are
planning to start the Castellan driver for oslo.config as soon as we have
that interface done.

In the next few weeks, that will be the Dublin PTG and we are planning to
discuss more this topic in the Oslo session[5], so if you are interested in
discussing/contribute for this topic and you will be attending the PTG,
please add yourself as an interested person in the topic. Also, we are
planning to integrate this whole feature with Tripleo in a near feature, so
we are planning to discuss with the Tripleo team a proper way to have that
supported as well.[6]

Finally, if want to be closer to this topic, or if you want to contribute
to this feature, we are having weekly meetings on Tuesday at 1600 UTC on
#openstack-meeting-3, we will be glad to have you working with us.

[1]
https://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html
[2] https://custodia.readthedocs.io/en/latest/readme.html
[3] https://review.openstack.org/#/c/513844/
[4] https://review.openstack.org/#/c/515190/
[5] https://etherpad.openstack.org/p/oslo-ptg-rocky
[6] https://etherpad.openstack.org/p/tripleo-ptg-rocky
[7] https://etherpad.openstack.org/p/oslo-config-plaintext-secrets

Cheers,

-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat

<https://www.redhat.com>
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180202/09d868d8/attachment.html>


More information about the OpenStack-dev mailing list