config: Protecting Plaintext Secrets

Use a Secret Management Store to protect plaintext values in the OpenStack Services. Change-Id: Ib2811960b40fe56ac09a48ac4c7658ffb9ee78b9 Implements: bp protect-plaintext-passwords
2017-06-14 14:39:28 -03:00 · 2017-06-14 14:39:28 -03:00 · 0d6fa32479
commit 0d6fa32479
parent 5bd6e3e34a
2 changed files with 156 additions and 0 deletions
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@ -7,6 +7,15 @@
 Oslo Design Specifications
 ============================

+Stein
+=====
+
+.. toctree::
+   :glob:
+   :maxdepth: 1
+
+   specs/stein/*
+
 Rocky
 =====

--- a/specs/stein/secret-management-store.rst
+++ b/specs/stein/secret-management-store.rst
@ -0,0 +1,147 @@
+============================
+Protecting Plaintext Secrets
+============================
+
+bp protecting plaintext password https://blueprints.launchpad.net/oslo.config/+spec/protect-plaintext-passwords
+
+Problem description
+===================
+
+Current OpenStack services require plaintext passwords and credentials for
+various access, e.g. database, keystoneauth, etc.
+
+Even with proper file permissions set on these files, often time during
+troubleshooting sessions, these configuration files are sent via emails
+without the passwords properly redacted.
+
+Also, the ability to change passwords across multiple nodes are
+heavily relying on the deployment tools of choice (ansible, fuel, etc.)
+
+Proposed change
+===============
+
+First of all, in order to properly secure the secrets in those configuration
+files, we should implement an oslo.config driver as described in the oslo spec
+http://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html
+
+Phase 0:
+
+Using HTTP and HTTPS urls as a reference to secrets:
+
+As a basic but useful solution, we proposed using an external URL pointing to
+an HTTP or HTTPS url to access those secrets.
+
+Note: This Phase 0 was merged on oslo.config in the Rocky release.
+
+
+Phase 1:
+
+Currently, on OpenStack, we have a Generic Key Manager interface called
+Castellan, which means that Castellan works on the principle of providing an
+abstracted key manager based on your configuration. In this manner, several
+different management services can be supported through a single interface.
+To integrate Castellan with oslo.config will have a Castellan implementation
+to oslo.config driver defined before.
+
+After that, we will be able to use a Castellan reference for those secrets
+and store it using a proper key store backend. Currently, Castellan supports
+Barbican and also Hashicorp Vault as backends options. For this scenario,
+we will be looking for using Vault as a chosen solution, since we can point
+to an external Vault server with no internal dependencies to other OpenStack
+services, also for authentication and validation methods, since Barbican needs
+Keystone tokens as authentication method also we need to store the Barbican
+and Keystone secrets present in their configuration files.
+
+Phase 2:
+
+Finally, we should use some deployment tool like Ansible to create those
+secrets and store them properly on Vault following the Castellan interface and
+inject those secrets in the configuration files. So, later, we will be able to
+restore it properly in the configuration files, with any necessary manual
+steps.
+
+Consuming projects
+==================
+
+Any OpenStack service which have some secrets in their configuration files,
+such as Glance, Nova, Keystone, Mistral and so on.
+
+Alternatives
+------------
+* Encrypt the configuration files:
+
+Which requires decryption keys and makes difficult to update configurations
+
+* Configuration Management DB (CMDB):
+
+Need to secure database connection credentials
+
+* Other types of providers can be included as a key store solution since those
+  providers implements the Castellan interface, such as Vault or a KMIP device
+
+Security impact
+---------------
+
+This change wants to make OpenStack services passwords and credentials
+management more secure, removing the plaintext passwords in the OpenStack
+services configuration files by using a secure and encrypted alternative
+following the Castellan interface for secrets management.
+
+
+Configuration Impact
+--------------------
+
+For the first phase of this work, the operator can update their configuration
+files to point to the password reference and no more using plaintext
+passwords. Although, after the second phase with the Puppet and/or Ansible
+that change will be made automatically by those tools.
+
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+  raildo
+
+Other contributors:
+  dhellmann
+  moguimar
+  spilla
+
+Milestones
+----------
+
+We are targetting the Phase 0 for Rocky-3 and Phase 1 and Phase 2 for Stein.
+
+Work Items
+----------
+
+* Implement oslo.config driver for URI
+* Implement oslo.config driver for Castellan
+* Documentation
+
+
+Documentation Impact
+====================
+
+We should document how to update the OpenStack Services
+configuration file to use the proper password references
+instead of the plaintext passwords.
+
+
+References
+==========
+
+Oslo PTG discussion: https://etherpad.openstack.org/p/oslo-ptg-queens
+Meetings logs: https://etherpad.openstack.org/p/oslo-config-plaintext-secrets
+Phase 0 on Rocky Release: https://docs.openstack.org/oslo.config/latest/reference/drivers.html
+
+.. note::
+
+  This work is licensed under a Creative Commons Attribution 3.0
+  Unported License.
+  http://creativecommons.org/licenses/by/3.0/legalcode
+