[security][barbican][manila] hiding back end and service user credentials

Tom Barron tpb at dyncloud.net
Sat Mar 2 11:28:11 UTC 2019


On 01/03/19 18:25 +0200, Juan Antonio Osorio Robles wrote:
>Hey,
>
>
>So, this is not something that Barbican can directly help with, given
>that it needs keystone for authentication. So, if you want to protect
>the keystone user/password; you get into a chicken and egg problem then.
>
>That being said, there is work being done to address this issue.
>
>Moises Guimaraes has been working to enable oslo.config to read the
>configuration values via drivers; and one of those drivers is castellan
>(which allows you to use something like Vault to store secrets).
>
>I'm sure he'll be able to provide you more details if needed.
>
>The next step is to integrate this work to the deployment engines.

Thanks!

>
>
>Best regards
>
>On 3/1/19 6:13 PM, Tom Barron wrote:
>> In manila -- and so far as I can tell, other projects -- service user
>> and back end (storage devices, security service) credentials appear
>> plaintext in configuration files and in database tables.  These are
>> not accessible to ordinary OpenStack users but some cloud deployers
>> nonetheless have concerns about this exposure and have asked us to
>> tighten things up.
>>
>> So I want to check for best practices from other projects.  I doubt
>> this is a manila-specific concern -- e.g. is barbican already being
>> used today by some projects to protect information of this sort?
>>
>> Thanks,
>>
>> -- Tom Barron
>>
>>
>
>



More information about the openstack-discuss mailing list