OpenStack projects store passwords in plain text
Bug #1587064 reported by
Adam Heczko
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.config |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Problem description:
Currently (as of Mitaka) all OpenStack projects store service passwords within configuration files. Moreover these passwords (config files) are unencrypted and access to these artifacts are difficult to audit.
Solution proposal:
1. Try to separate storage of passwords (rabbit, mysql, other services) from within 'normal' configuration files.
2. Try to encrypt passwords whenever possible.
3. Try to provide auditing information while accessing password / secret store.
Initial research shows that Python's Keyring project might be a good choice for a simple and effective bug fix.
https:/
To post a comment you must log in.
How would you give the service the credentials it needs to decrypt the file? The keyring needs credentials, too.