Octavia should use 'octavia' service user when connecting to barbican
Bug #1627389 reported by
Stephen Balukoff
This bug affects 4 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| octavia |
Invalid
|
High
|
Unassigned | ||
Bug Description
Right now, Octavia uses the admin user credentials to retrieve TLS containers and secrets from barbican. (Neutron LBaaS does the same, and in fact Octavia may be inheriting its credentials from Neutron LBaaS.)
In order to ensure better division of responsibility and auditability, and to follow the principle of 'least privilege' when dealing with sensitive data (like TLS certificates and keys), Octavia should be using a service user to connect to barbican (ie. something specifically with a different policy profile than the 'admin' user).
I realize that probably both of these projects are not ready for this at this time; We may need to coordinate across projects to make this happen.
Revision history for this message
| Stephen Balukoff (sbalukoff) wrote | #1 |
| Changed in octavia: | |
| importance: | Undecided → High |
| Changed in barbican: | |
| assignee: | nobody → Douglas Mendizábal (dougmendizabal) |
Revision history for this message
| Michael Johnson (johnsom) wrote | #2 |
| no longer affects: | barbican |
Revision history for this message
| Gregory Thiemonge (gthiemonge) wrote auto-abandon-script | #3 |
| Changed in octavia: | |
| status: | New → Invalid |
| tags: | added: auto-abandon |
To post a comment you must log in.
This bug report is related to: https:/