[Openstack] PKI Issue vs UUID

Shinobu Kinjo skinjo at redhat.com
Mon Sep 21 03:46:36 UTC 2015


> No system but keystone needs access to these keys. 

Yeah, this triggers my concerns since keystone would have huge responsibility about security for the stack.

Keystone have r/w permission to key files, and encrypt/decrypt 

119         with open(key_file, 'w') as f:
120             f.write(key)
 ...
227 def load_keys():
228     """Load keys from disk into a list.

And it can control keys.

199     key_files[new_primary_key] = os.path.join(
200         CONF.fernet_tokens.key_repository,
201         str(new_primary_key))
 ...
220     while len(keys) > (max_active_keys - 1):
221         index_to_purge = keys.pop()
222         key_to_purge = key_files[index_to_purge]

Ref:
https://cryptography.io/en/latest/fernet/

Shinobu

----- Original Message -----
From: "Morgan Fainberg" <morgan.fainberg at gmail.com>
To: "Shinobu Kinjo" <skinjo at redhat.com>
Cc: "Adam Young" <ayoung at redhat.com>, openstack at lists.openstack.org
Sent: Monday, September 21, 2015 12:00:08 PM
Subject: Re: [Openstack] PKI Issue vs UUID



> On Sep 20, 2015, at 19:17, Shinobu Kinjo <skinjo at redhat.com> wrote:
> 
> Fernet token sounds like not being persistent, and not having too much information.
> Meaning that it sounds like more secure than UUID and PKI.
> 
> And performance wise, it also going to be more reasonable than them.
> It's because of less processes for users validation. And that deployment doesn't look like difficult.
> 
> Everything sounds pretty good.
> 
> But there would be problematic activity, key rotation.
> And keystone itself still have token file[s], /etc/keystone/fernet-keys/.
> It potentially causes huge security issue.
> 
> "./doc/source/configuration.rst" implies this.
> 

Fernet keys are only ever utilized on the keystone systems. You will need to secure these keys, but it really is not significantly different than securing the private key utilized to sign the PKI tokens. No system but keystone needs access to these keys. 


> Is or would there be further workaround of that tokens to deal with any users information securely and safely.
> 
> Shinobu
> 
> ----- Original Message -----
> From: "Adam Young" <ayoung at redhat.com>
> To: openstack at lists.openstack.org
> Sent: Monday, September 21, 2015 12:02:30 AM
> Subject: Re: [Openstack] PKI Issue vs UUID
> 
>> On 09/19/2015 03:52 PM, Remo Mattei wrote:
>> Hello all,
>> 
>> I have notice that when I do the RDO installation of Kilo with the UUID and login with the admin account, I can select which project to spin up new instances and also which project to select from the pull down menu. If I do the same installation using packstack and change the keystone from UUID to PKI, I cannot select any of those options.
> 
> Stick with UUID.  THere are enough issues with PKI that you should not 
> use them.
> 
> Fernet tokens are coming, and will help with horizontal scalability.
> 
>> 
>> Has anyone seen this issue? I notice that there was a bug going on while back but I thought that would have been fixed by now.
>> 
>> Thanks for any tips on how to go by this.
>> 
>> Remo
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




More information about the Openstack mailing list