[Openstack-operators] [Openstack] Service token and credential security

Adam Lawson alawson at aqorn.com
Sat Apr 5 00:02:49 UTC 2014


Hey OpenStack peeps!

Most of the .conf files within OpenStack contain credentials and/or token
ID's that allow services to talk to each other. And interestingly, I have
not found a way to obfuscate this data from system admins who do not need
the keys to the entire kingdom.

Is there a best practice I'm unaware of that addresses where credentials
are stored and who can access them? Most system admins have root or sudo
access to /etc/program/program.conf and having access to credentials that
give them that level of power seems like either a bug or an oversight (or
evidence I'm a bigger dumbass than I thought).

Can the credentials used by services such as Swift, Keystone, etc be
protected? How are folks currently protecting their installations while
allowing low-level admins to do their work? Does OpenStack support ESSO or
at least the option to encrypt these files somehow? Seems like an audit
issue to me.

Mahalo,
Adam


*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140404/9db96485/attachment.html>


More information about the OpenStack-operators mailing list