Hi all,
I've been looking at a blueprint[0] logged for Murano which involves
encrypting parts of the object model stored in the database that may
contain passwords or sensitive information.
I wanted to see if people had any thoughts or preferences on how this
should be done. On the face of it, it seems Barbican is a good choice
for solving this, and have read a lengthy discussion around this on the
mailing list from earlier this year[1]. Overall the benefits of Barbican
seem to be that we can handle the encryption and management of secrets
in a common and standard way, and avoid having to implement and maintain
this ourselves. The main drawback for Barbican seems to be that we
impose another service dependency on the operator, though this complaint
seems to be in some way appeased by Castellan, which offers alternative
backends to just Barbican (though unsure right now what those are?). The
alternative to integrating Barbican/Castellan is to use a more
lightweight "roll your own" encryption such as what Glance is using[2].
After we decide on how we want to implement the encryption there is also
the question of how best to expose this feature to users. My current
thought is that we can use Murano attributes, so application authors can
do something like this:
- name: appPassword
type: password
encrypt: true
This would of course be transparent to the end user of the application.
Any thoughts on both issues are very welcome, I hope to have a prototype
in the next few days which may help solidify this also.
Regards,
-Paul.
[0]
https://blueprints.launchpad.net/murano/+spec/allow-encrypting-of-muranopl-properties
[1]
http://lists.openstack.org/pipermail/openstack-dev/2017-January/110192.html
[2]
https://github.com/openstack/glance/blob/48ee8ef4793ed40397613193f09872f474c11abe/glance/common/crypt.py
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
