[security][barbican][manila] hiding back end and service user credentials

Ben Nemec openstack at nemebean.com
Fri Mar 1 16:31:54 UTC 2019

On 3/1/19 10:13 AM, Tom Barron wrote:
> In manila -- and so far as I can tell, other projects -- service user
> and back end (storage devices, security service) credentials appear 
> plaintext in configuration files and in database tables.  These are not 
> accessible to ordinary OpenStack users but some cloud deployers 
> nonetheless have concerns about this exposure and have asked us to 
> tighten things up.
> So I want to check for best practices from other projects.  I doubt this 
> is a manila-specific concern -- e.g. is barbican already being used 
> today by some projects to protect information of this sort?

This has been a pretty common concern for years in OpenStack. The good 
news is that this cycle we added a feature to Castellan that allows 
config secrets to be stored securely. Unfortunately, it doesn't appear 
to have been added to the project docs[0] (ugh, not even a release 
note), but you can see the documentation in the docstring for the 
file[1]. I'll work on getting the published docs updated.

There is also a less secure, but potentially simpler option in 
oslo.config itself[2]. It allows secrets to be stored remotely and 
retrieved over HTTP(S). Obviously anyone who is able to read the config 
file can probably curl the URL too, but at least you won't accidentally 
copy-paste secrets while debugging.

That takes care of the config aspect. I can't comment on what gets 
stored in the database though. Hopefully someone else has advice on that.


0: https://bugs.launchpad.net/castellan/+bug/1818258

> Thanks,
> -- Tom Barron

More information about the openstack-discuss mailing list