[Openstack] Service token and credential security
Adam Lawson
alawson at aqorn.com
Sat Apr 5 00:02:49 UTC 2014
Hey OpenStack peeps!
Most of the .conf files within OpenStack contain credentials and/or token
ID's that allow services to talk to each other. And interestingly, I have
not found a way to obfuscate this data from system admins who do not need
the keys to the entire kingdom.
Is there a best practice I'm unaware of that addresses where credentials
are stored and who can access them? Most system admins have root or sudo
access to /etc/program/program.conf and having access to credentials that
give them that level of power seems like either a bug or an oversight (or
evidence I'm a bigger dumbass than I thought).
Can the credentials used by services such as Swift, Keystone, etc be
protected? How are folks currently protecting their installations while
allowing low-level admins to do their work? Does OpenStack support ESSO or
at least the option to encrypt these files somehow? Seems like an audit
issue to me.
Mahalo,
Adam
*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (888) 406-7620
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140404/9db96485/attachment.html>
More information about the Openstack
mailing list