Octavia should use 'octavia' service user when connecting to barbican

Bug #1627389 reported by Stephen Balukoff on 2016-09-24
This bug affects 4 people
Affects Status Importance Assigned to Milestone

Bug Description

Right now, Octavia uses the admin user credentials to retrieve TLS containers and secrets from barbican. (Neutron LBaaS does the same, and in fact Octavia may be inheriting its credentials from Neutron LBaaS.)

In order to ensure better division of responsibility and auditability, and to follow the principle of 'least privilege' when dealing with sensitive data (like TLS certificates and keys), Octavia should be using a service user to connect to barbican (ie. something specifically with a different policy profile than the 'admin' user).

I realize that probably both of these projects are not ready for this at this time; We may need to coordinate across projects to make this happen.

Stephen Balukoff (sbalukoff) wrote :
Changed in octavia:
importance: Undecided → High
Changed in barbican:
assignee: nobody → Douglas Mendizábal (dougmendizabal)
Michael Johnson (johnsom) wrote :

I am not sure this is a barbican issue.
I think it is more related to 1592612

no longer affects: barbican
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers