[OpenStack-Infra] [openstack-dev] [infra][security] Encryption in Zuul v3
James E. Blair
corvus at inaugust.com
Wed Mar 22 15:02:05 UTC 2017
Ian Cordasco <sigmavirus24 at gmail.com> writes:
> On Tue, Mar 21, 2017 at 6:10 PM, James E. Blair <corvus at inaugust.com> wrote:
>> We did talk about some other options, though unfortunately it doesn't
>> look like a lot of that made it into the spec reviews. Among them, it's
>> probably worth noting that there's nothing preventing a Zuul deployment
>> from relying on some third-party secret system -- if you can use it with
>> Ansible, you should be able to use it with Zuul. But we also want Zuul
>> to have these features out of the box, and, wearing our sysadmin hits,
>> we're really keen on having source control and code review for the
>> system secrets for the OpenStack project.
>>
>> Vault alone doesn't meet our requirements here because it relies on
>> symmetric encryption, which means we need users to share a key with
>> Zuul, implying an extra service with out-of-band authn/authz. However,
>> we *could* use our PKCS#1 style system to share a vault key with Zuul.
>> I don't think that has come up as a suggestion yet, but seems like it
>> would work.
>
> I suppose Barbican doesn't meet those requirements either, then, yes?
Right -- we don't want to require another service or tie Zuul to an
authn/authz system for a fundamental feature. However, I do think we
can look at making integration with Barbican and similar systems an
option for folks who have such an installation and prefer to use it.
-Jim
More information about the OpenStack-Infra
mailing list