[Openstack] PKI Issue vs UUID

Morgan Fainberg morgan.fainberg at gmail.com
Mon Sep 21 04:29:06 UTC 2015 


On Sep 20, 2015, at 20:46, Shinobu Kinjo <skinjo at redhat.com> wrote:

>> No system but keystone needs access to these keys.
> 
> Yeah, this triggers my concerns since keystone would have huge responsibility about security for the stack.
> 
> Keystone have r/w permission to key files, and encrypt/decrypt 
> 

Keystone already has a massive level of responsibility with regards to security in openstack. 


> 119         with open(key_file, 'w') as f:
> 120             f.write(key)
> ...

This is only required if you use the keystone-manage rotate keys. You can deploy keys via a CMS or otherwise. 

> 227 def load_keys():
> 228     """Load keys from disk into a list.
> 
> And it can control keys.
> 
> 199     key_files[new_primary_key] = os.path.join(
> 200         CONF.fernet_tokens.key_repository,
> 201         str(new_primary_key))
> ...
> 220     while len(keys) > (max_active_keys - 1):
> 221         index_to_purge = keys.pop()
> 222         key_to_purge = key_files[index_to_purge]
> 

This is no different than keystone being able to issue UUID tokens (if keystone is compromised the db connection can be compromised, this means the compromiser can inject a row into the db via direct sql manipulation, granting tokens. 

Likewise, you need to secure the private key in the case if PKI tokens. If the private key is compromised, you also have similar issues. 

> Ref:
> https://cryptography.io/en/latest/fernet/
> 
> Shinobu
> 
> ----- Original Message -----
> From: "Morgan Fainberg" <morgan.fainberg at gmail.com>
> To: "Shinobu Kinjo" <skinjo at redhat.com>
> Cc: "Adam Young" <ayoung at redhat.com>, openstack at lists.openstack.org
> Sent: Monday, September 21, 2015 12:00:08 PM
> Subject: Re: [Openstack] PKI Issue vs UUID
> 
> 
> 
>> On Sep 20, 2015, at 19:17, Shinobu Kinjo <skinjo at redhat.com> wrote:
>> 
>> Fernet token sounds like not being persistent, and not having too much information.
>> Meaning that it sounds like more secure than UUID and PKI.
>> 
>> And performance wise, it also going to be more reasonable than them.
>> It's because of less processes for users validation. And that deployment doesn't look like difficult.
>> 
>> Everything sounds pretty good.
>> 
>> But there would be problematic activity, key rotation.
>> And keystone itself still have token file[s], /etc/keystone/fernet-keys/.
>> It potentially causes huge security issue.
>> 
>> "./doc/source/configuration.rst" implies this.
> 
> Fernet keys are only ever utilized on the keystone systems. You will need to secure these keys, but it really is not significantly different than securing the private key utilized to sign the PKI tokens. No system but keystone needs access to these keys. 
> 
> 
>> Is or would there be further workaround of that tokens to deal with any users information securely and safely.
>> 
>> Shinobu
>> 
>> ----- Original Message -----
>> From: "Adam Young" <ayoung at redhat.com>
>> To: openstack at lists.openstack.org
>> Sent: Monday, September 21, 2015 12:02:30 AM
>> Subject: Re: [Openstack] PKI Issue vs UUID
>> 
>>> On 09/19/2015 03:52 PM, Remo Mattei wrote:
>>> Hello all,
>>> 
>>> I have notice that when I do the RDO installation of Kilo with the UUID and login with the admin account, I can select which project to spin up new instances and also which project to select from the pull down menu. If I do the same installation using packstack and change the keystone from UUID to PKI, I cannot select any of those options.
>> 
>> Stick with UUID.  THere are enough issues with PKI that you should not 
>> use them.
>> 
>> Fernet tokens are coming, and will help with horizontal scalability.
>> 
>>> 
>>> Has anyone seen this issue? I notice that there was a bug going on while back but I thought that would have been fixed by now.
>>> 
>>> Thanks for any tips on how to go by this.
>>> 
>>> Remo
>>> _______________________________________________
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> 
>> 
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> 
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

More information about the Openstack mailing list