[Openstack] PKI Issue vs UUID
Shinobu Kinjo
skinjo at redhat.com
Mon Sep 21 03:46:36 UTC 2015
> No system but keystone needs access to these keys.
Yeah, this triggers my concerns since keystone would have huge responsibility about security for the stack.
Keystone have r/w permission to key files, and encrypt/decrypt
119 with open(key_file, 'w') as f:
120 f.write(key)
...
227 def load_keys():
228 """Load keys from disk into a list.
And it can control keys.
199 key_files[new_primary_key] = os.path.join(
200 CONF.fernet_tokens.key_repository,
201 str(new_primary_key))
...
220 while len(keys) > (max_active_keys - 1):
221 index_to_purge = keys.pop()
222 key_to_purge = key_files[index_to_purge]
Ref:
https://cryptography.io/en/latest/fernet/
Shinobu
----- Original Message -----
From: "Morgan Fainberg" <morgan.fainberg at gmail.com>
To: "Shinobu Kinjo" <skinjo at redhat.com>
Cc: "Adam Young" <ayoung at redhat.com>, openstack at lists.openstack.org
Sent: Monday, September 21, 2015 12:00:08 PM
Subject: Re: [Openstack] PKI Issue vs UUID
> On Sep 20, 2015, at 19:17, Shinobu Kinjo <skinjo at redhat.com> wrote:
>
> Fernet token sounds like not being persistent, and not having too much information.
> Meaning that it sounds like more secure than UUID and PKI.
>
> And performance wise, it also going to be more reasonable than them.
> It's because of less processes for users validation. And that deployment doesn't look like difficult.
>
> Everything sounds pretty good.
>
> But there would be problematic activity, key rotation.
> And keystone itself still have token file[s], /etc/keystone/fernet-keys/.
> It potentially causes huge security issue.
>
> "./doc/source/configuration.rst" implies this.
>
Fernet keys are only ever utilized on the keystone systems. You will need to secure these keys, but it really is not significantly different than securing the private key utilized to sign the PKI tokens. No system but keystone needs access to these keys.
> Is or would there be further workaround of that tokens to deal with any users information securely and safely.
>
> Shinobu
>
> ----- Original Message -----
> From: "Adam Young" <ayoung at redhat.com>
> To: openstack at lists.openstack.org
> Sent: Monday, September 21, 2015 12:02:30 AM
> Subject: Re: [Openstack] PKI Issue vs UUID
>
>> On 09/19/2015 03:52 PM, Remo Mattei wrote:
>> Hello all,
>>
>> I have notice that when I do the RDO installation of Kilo with the UUID and login with the admin account, I can select which project to spin up new instances and also which project to select from the pull down menu. If I do the same installation using packstack and change the keystone from UUID to PKI, I cannot select any of those options.
>
> Stick with UUID. THere are enough issues with PKI that you should not
> use them.
>
> Fernet tokens are coming, and will help with horizontal scalability.
>
>>
>> Has anyone seen this issue? I notice that there was a bug going on while back but I thought that would have been fixed by now.
>>
>> Thanks for any tips on how to go by this.
>>
>> Remo
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list