[openstack-dev] [barbican] default devstack barbican secret store ? and big picture question ?
Waines, Greg
Greg.Waines at windriver.com
Mon Jun 18 17:23:27 UTC 2018
Hey ... a couple of NEWBY question for the Barbican Team.
I just setup a devstack with Barbican @ stable/queens .
Ran through the “Verify operation” commands ( https://docs.openstack.org/barbican/latest/install/verify.html ) ... Everything worked.
stack at barbican:~/devstack$ openstack secret list
stack at barbican:~/devstack$ openstack secret store --name mysecret --payload j4=]d21
+---------------+--------------------------------------------------------------------------------+
| Field | Value |
+---------------+--------------------------------------------------------------------------------+
| Secret href | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 |
| Name | mysecret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+--------------------------------------------------------------------------------+
stack at barbican:~/devstack$
stack at barbican:~/devstack$
stack at barbican:~/devstack$ openstack secret list
+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+
| Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration |
+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+
| http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 | mysecret | 2018-06-18T14:47:45+00:00 | ACTIVE | {u'default': u'text/plain'} | aes | 256 | opaque | cbc | None |
+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+
stack at barbican:~/devstack$ openstack secret get http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1
+---------------+--------------------------------------------------------------------------------+
| Field | Value |
+---------------+--------------------------------------------------------------------------------+
| Secret href | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 |
| Name | mysecret |
| Created | 2018-06-18T14:47:45+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'text/plain'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+--------------------------------------------------------------------------------+
stack at barbican:~/devstack$ openstack secret get http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 --payload
+---------+---------+
| Field | Value |
+---------+---------+
| Payload | j4=]d21 |
+---------+---------+
stack at barbican:~/devstack$
QUESTIONS:
· In this basic devstack setup, what is being used as the secret store ?
o E.g. /etc/barbican/barbican.conf for devstack is simply
stack at barbican:~/devstack$ more /etc/barbican/barbican.conf
[DEFAULT]
transport_url = rabbit://stackrabbit:admin@10.10.10.17:5672
db_auto_create = False
sql_connection = mysql+pymysql://root:admin@127.0.0.1/barbican?charset=utf8
logging_exception_prefix = %(color)s%(asctime)s.%(msecs)03d TRACE %(name)s %(instance)s
logging_debug_format_suffix = from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [-%(color)s] %(instance)s%(color)s%(message)s
logging_context_format_string = %(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [%(request_id)s %(project_name)s %(user_name)s%(color)s] %(instance)s%(color)s%(message)s
use_stderr = True
log_file = /opt/stack/logs/barbican.log
host_href = http://10.10.10.17/key-manager
debug = True
[keystone_authtoken]
memcached_servers = localhost:11211
signing_dir = /var/cache/barbican
cafile = /opt/stack/data/ca-bundle.pem
project_domain_name = Default
project_name = service
user_domain_name = Default
password = admin
username = barbican
auth_url = http://10.10.10.17/identity
auth_type = password
[keystone_notifications]
enable = True
stack at barbican:~/devstack$
* What is the basic strategy here wrt Barbican providing secure secret storage ?
e.g.
* Secrets are stored encrypted in some secret store ?
* Again, for default devstack, what is that secret store ? (assuming it is NOT the DB being used for general openstack services’ tables)
* i.e. assuming it is separate DB or file or directory of files
* What key is used for encryption ? ...
* The UUID of the Barbican ‘secret’ object in the Barbican openstack DB Table is the ‘external reference’ for the secret ?
* ? and this ‘secret’ object has the internal reference for the secret in the secret store ?
* ADMIN privileges are required to access the Barbican ‘secret’ objects ?
* Soooo ... the secrets are stored in encrypted format and can only be referenced / retrieved in plain text with ADMIN privileges
* Is this the basis of the strategy ?
Thanks in advance,
Greg.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180618/28ea2064/attachment.html>
More information about the OpenStack-dev
mailing list