Hey ... a couple of NEWBY question for the Barbican Team. I just setup a devstack with Barbican @ stable/queens .
Ran through the “Verify operation” commands ( https://docs.openstack.org/barbican/latest/install/verify.html ) ... Everything worked. stack@barbican:~/devstack$ openstack secret list stack@barbican:~/devstack$ openstack secret store --name mysecret --payload j4=]d21 +---------------+--------------------------------------------------------------------------------+ | Field | Value | +---------------+--------------------------------------------------------------------------------+ | Secret href | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 | | Name | mysecret | | Created | None | | Status | None | | Content types | None | | Algorithm | aes | | Bit length | 256 | | Secret type | opaque | | Mode | cbc | | Expiration | None | +---------------+--------------------------------------------------------------------------------+ stack@barbican:~/devstack$ stack@barbican:~/devstack$ stack@barbican:~/devstack$ openstack secret list +--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+ | Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration | +--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+ | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 | mysecret | 2018-06-18T14:47:45+00:00 | ACTIVE | {u'default': u'text/plain'} | aes | 256 | opaque | cbc | None | +--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+ stack@barbican:~/devstack$ openstack secret get http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 +---------------+--------------------------------------------------------------------------------+ | Field | Value | +---------------+--------------------------------------------------------------------------------+ | Secret href | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 | | Name | mysecret | | Created | 2018-06-18T14:47:45+00:00 | | Status | ACTIVE | | Content types | {u'default': u'text/plain'} | | Algorithm | aes | | Bit length | 256 | | Secret type | opaque | | Mode | cbc | | Expiration | None | +---------------+--------------------------------------------------------------------------------+ stack@barbican:~/devstack$ openstack secret get http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 --payload +---------+---------+ | Field | Value | +---------+---------+ | Payload | j4=]d21 | +---------+---------+ stack@barbican:~/devstack$ QUESTIONS: · In this basic devstack setup, what is being used as the secret store ? o E.g. /etc/barbican/barbican.conf for devstack is simply stack@barbican:~/devstack$ more /etc/barbican/barbican.conf [DEFAULT] transport_url = rabbit://stackrabbit:admin@10.10.10.17:5672 db_auto_create = False sql_connection = mysql+pymysql://root:admin@127.0.0.1/barbican?charset=utf8 logging_exception_prefix = %(color)s%(asctime)s.%(msecs)03d TRACE %(name)s %(instance)s logging_debug_format_suffix = from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d logging_default_format_string = %(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [-%(color)s] %(instance)s%(color)s%(message)s logging_context_format_string = %(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [%(request_id)s %(project_name)s %(user_name)s%(color)s] %(instance)s%(color)s%(message)s use_stderr = True log_file = /opt/stack/logs/barbican.log host_href = http://10.10.10.17/key-manager debug = True [keystone_authtoken] memcached_servers = localhost:11211 signing_dir = /var/cache/barbican cafile = /opt/stack/data/ca-bundle.pem project_domain_name = Default project_name = service user_domain_name = Default password = admin username = barbican auth_url = http://10.10.10.17/identity auth_type = password [keystone_notifications] enable = True stack@barbican:~/devstack$ * What is the basic strategy here wrt Barbican providing secure secret storage ? e.g. * Secrets are stored encrypted in some secret store ? * Again, for default devstack, what is that secret store ? (assuming it is NOT the DB being used for general openstack services’ tables) * i.e. assuming it is separate DB or file or directory of files * What key is used for encryption ? ... * The UUID of the Barbican ‘secret’ object in the Barbican openstack DB Table is the ‘external reference’ for the secret ? * ? and this ‘secret’ object has the internal reference for the secret in the secret store ? * ADMIN privileges are required to access the Barbican ‘secret’ objects ? * Soooo ... the secrets are stored in encrypted format and can only be referenced / retrieved in plain text with ADMIN privileges * Is this the basis of the strategy ? Thanks in advance, Greg.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
