Barbican default basic file-based keystore not safe for production
Bug #1625340 reported by
Christian Berendt
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| kolla |
Fix Released
|
Critical
|
Duong Ha-Quang | ||
Bug Description
According to the documentation of barbican:
#. Barbican has a plugin architecture which allows the deployer to store secrets in
a number of different back-end secret stores. By default, Barbican is configured to
store secrets in a basic file-based keystore. This key store is NOT safe for
production use.
This basic file-based keystore is used at the moment.
An other problem with this keystore: it is file based. This means that it currently does not work with multiple control nodes because we do not required a shared directory for the Barbican role.
| Changed in kolla: | |
| status: | New → Confirmed |
| importance: | Undecided → Critical |
Revision history for this message
| Christian Berendt (berendt) wrote | #1 |
| Changed in kolla: | |
| milestone: | none → ocata-3 |
| Changed in kolla: | |
| milestone: | ocata-3 → ocata-rc1 |
| Changed in kolla: | |
| assignee: | nobody → Duong Ha-Quang (duonghq) |
| summary: |
- Barbican default basic file-based keystone not safe for production + Barbican default basic file-based keystore not safe for production |
Revision history for this message
| Duong Ha-Quang (duonghq) wrote | #2 |
| Changed in kolla: | |
| status: | Confirmed → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/kolla-ansible 4.0.0.0rc1 | #3 |
To post a comment you must log in.
[21:45:15] <dave-mccowan> database backend would be a better choice.