[openstack-dev] [barbican] default devstack barbican secret store ? and big picture question ?

Waines, Greg Greg.Waines at windriver.com
Mon Jun 18 17:23:27 UTC 2018


Hey ... a couple of NEWBY question for the Barbican Team.

I just setup a devstack with Barbican @ stable/queens .

Ran through the “Verify operation” commands ( https://docs.openstack.org/barbican/latest/install/verify.html ) ... Everything worked.

stack at barbican:~/devstack$ openstack secret list



stack at barbican:~/devstack$ openstack secret store --name mysecret --payload j4=]d21

+---------------+--------------------------------------------------------------------------------+

| Field         | Value                                                                          |

+---------------+--------------------------------------------------------------------------------+

| Secret href   | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 |

| Name          | mysecret                                                                       |

| Created       | None                                                                           |

| Status        | None                                                                           |

| Content types | None                                                                           |

| Algorithm     | aes                                                                            |

| Bit length    | 256                                                                            |

| Secret type   | opaque                                                                         |

| Mode          | cbc                                                                            |

| Expiration    | None                                                                           |

+---------------+--------------------------------------------------------------------------------+

stack at barbican:~/devstack$

stack at barbican:~/devstack$

stack at barbican:~/devstack$ openstack secret list

+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+

| Secret href                                                                    | Name     | Created                   | Status | Content types               | Algorithm | Bit length | Secret type | Mode | Expiration |

+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+

| http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 | mysecret | 2018-06-18T14:47:45+00:00 | ACTIVE | {u'default': u'text/plain'} | aes       |        256 | opaque      | cbc  | None       |

+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+

stack at barbican:~/devstack$ openstack secret get http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1

+---------------+--------------------------------------------------------------------------------+

| Field         | Value                                                                          |

+---------------+--------------------------------------------------------------------------------+

| Secret href   | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 |

| Name          | mysecret                                                                       |

| Created       | 2018-06-18T14:47:45+00:00                                                      |

| Status        | ACTIVE                                                                         |

| Content types | {u'default': u'text/plain'}                                                    |

| Algorithm     | aes                                                                            |

| Bit length    | 256                                                                            |

| Secret type   | opaque                                                                         |

| Mode          | cbc                                                                            |

| Expiration    | None                                                                           |

+---------------+--------------------------------------------------------------------------------+

stack at barbican:~/devstack$ openstack secret get http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 --payload

+---------+---------+

| Field   | Value   |

+---------+---------+

| Payload | j4=]d21 |

+---------+---------+

stack at barbican:~/devstack$


QUESTIONS:

·         In this basic devstack setup, what is being used as the secret store ?

o    E.g. /etc/barbican/barbican.conf     for devstack is simply
stack at barbican:~/devstack$ more /etc/barbican/barbican.conf

[DEFAULT]
transport_url = rabbit://stackrabbit:admin@10.10.10.17:5672
db_auto_create = False
sql_connection = mysql+pymysql://root:admin@127.0.0.1/barbican?charset=utf8
logging_exception_prefix = %(color)s%(asctime)s.%(msecs)03d TRACE %(name)s %(instance)s
logging_debug_format_suffix = from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [-%(color)s] %(instance)s%(color)s%(message)s
logging_context_format_string = %(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [%(request_id)s %(project_name)s %(user_name)s%(color)s] %(instance)s%(color)s%(message)s
use_stderr = True
log_file = /opt/stack/logs/barbican.log
host_href = http://10.10.10.17/key-manager
debug = True

[keystone_authtoken]
memcached_servers = localhost:11211
signing_dir = /var/cache/barbican
cafile = /opt/stack/data/ca-bundle.pem
project_domain_name = Default
project_name = service
user_domain_name = Default
password = admin
username = barbican
auth_url = http://10.10.10.17/identity
auth_type = password

[keystone_notifications]
enable = True
stack at barbican:~/devstack$



  *   What is the basic strategy here wrt Barbican providing secure secret storage ?
e.g.
     *   Secrets are stored encrypted in some secret store ?
        *   Again, for default devstack, what is that secret store ?   (assuming it is NOT the DB being used for general openstack services’ tables)
           *   i.e. assuming it is separate DB or file or directory of files
        *   What key is used for encryption ? ...

     *   The UUID of the Barbican ‘secret’ object in the Barbican openstack DB Table is the ‘external reference’ for the secret ?
        *   ? and this ‘secret’ object has the internal reference for the secret in the secret store ?

     *   ADMIN privileges are required to access the Barbican ‘secret’ objects ?



     *   Soooo ... the secrets are stored in encrypted format and can only be referenced / retrieved in plain text with ADMIN privileges
        *   Is this the basis of the strategy ?


Thanks in advance,
Greg.







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180618/28ea2064/attachment.html>


More information about the OpenStack-dev mailing list