Hey OpenStack peeps! Most of the .conf files within OpenStack contain credentials and/or token ID's that allow services to talk to each other. And interestingly, I have not found a way to obfuscate this data from system admins who do not need the keys to the entire kingdom.
Is there a best practice I'm unaware of that addresses where credentials are stored and who can access them? Most system admins have root or sudo access to /etc/program/program.conf and having access to credentials that give them that level of power seems like either a bug or an oversight (or evidence I'm a bigger dumbass than I thought). Can the credentials used by services such as Swift, Keystone, etc be protected? How are folks currently protecting their installations while allowing low-level admins to do their work? Does OpenStack support ESSO or at least the option to encrypt these files somehow? Seems like an audit issue to me. Mahalo, Adam *Adam Lawson* AQORN, Inc. 427 North Tatnall Street Ste. 58461 Wilmington, Delaware 19801-2230 Toll-free: (888) 406-7620
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
