[security][barbican][manila] hiding back end and service user credentials

Juan Antonio Osorio Robles jaosorior at redhat.com
Fri Mar 1 16:25:02 UTC 2019


So, this is not something that Barbican can directly help with, given
that it needs keystone for authentication. So, if you want to protect
the keystone user/password; you get into a chicken and egg problem then.

That being said, there is work being done to address this issue.

Moises Guimaraes has been working to enable oslo.config to read the
configuration values via drivers; and one of those drivers is castellan
(which allows you to use something like Vault to store secrets).

I'm sure he'll be able to provide you more details if needed.

The next step is to integrate this work to the deployment engines.

Best regards

On 3/1/19 6:13 PM, Tom Barron wrote:
> In manila -- and so far as I can tell, other projects -- service user
> and back end (storage devices, security service) credentials appear
> plaintext in configuration files and in database tables.  These are
> not accessible to ordinary OpenStack users but some cloud deployers
> nonetheless have concerns about this exposure and have asked us to
> tighten things up.
> So I want to check for best practices from other projects.  I doubt
> this is a manila-specific concern -- e.g. is barbican already being
> used today by some projects to protect information of this sort?
> Thanks,
> -- Tom Barron

More information about the openstack-discuss mailing list