oslo.config

OpenStack projects store passwords in plain text

Bug #1587064 reported by Adam Heczko on 2016-05-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	oslo.config	Invalid	Undecided	Unassigned

Bug Description

Problem description:
Currently (as of Mitaka) all OpenStack projects store service passwords within configuration files. Moreover these passwords (config files) are unencrypted and access to these artifacts are difficult to audit.

Solution proposal:
1. Try to separate storage of passwords (rabbit, mysql, other services) from within 'normal' configuration files.
2. Try to encrypt passwords whenever possible.
3. Try to provide auditing information while accessing password / secret store.

Initial research shows that Python's Keyring project might be a good choice for a simple and effective bug fix.
https://pypi.python.org/pypi/keyring

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-05-30:

How would you give the service the credentials it needs to decrypt the file? The keyring needs credentials, too.

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-06-01:

@Doug, it is down to threat model of services storing unencrypted passwords with other configuration variables and different threat model for service managing keys/passwords encryption.
Ideally we'd like to have an API for accessing service passwords during services startups/restarts and key management service running with different unix (Linux) UID to separate openstack services with key vault service.
As a good reference please see here:
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Protect_keys_in_a_key_vault
IMO it would be good to try to introduce 'service vault API' under oslo umbrella, just like oslo.rootwrap and oslo.privsep works currently.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2018-01-22:

We'll be tracking this as feature work against http://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html and in castellan.

Changed in oslo.config:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.