Remove VIM credential storage problem on local file system

Bug #1667652 reported by yong sheng gong
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tacker
Medium
Yan Xing'an

Bug Description

To set a shared file system for tacker server to store the VIM fernet key is not a nice way.
we need a way to storage it or refactor the mechanism for VIM credential storage.

Revision history for this message
yong sheng gong (gongysh) wrote :
tags: added: multi-service
tags: added: multi-services
removed: multi-service
Changed in tacker:
importance: Undecided → Medium
milestone: none → pike-1
Yan Xing'an (yanxingan)
Changed in tacker:
assignee: nobody → Yan Xing'an (yanxingan)
Revision history for this message
Yan Xing'an (yanxingan) wrote :

Gnocchi is a multi-tenant timeseries, metrics and resources database. It provides an HTTP REST interface to create and manipulate the data. It is designed to store metrics at a very large scale while providing access to metrics and resources information and history.

The Gnocchi project was started in 2014 as a spin-off of the OpenStack Ceilometer project to address the performance issues that Ceilometer encountered while using standard databases as a storage backends for metrics.

The metrics include instance CPU usage, router network bandwidth usage, and the number of images that Glance is storing,etc...

Wile VIM credential is not a resource entity that can be measured, so I think gnocchi is not an appropriate way to store VIM credential.

Code:
https://github.com/openstack/gnocchi
Architecture:
https://docs.openstack.org/developer/gnocchi/architecture.html
Rest API doc:
https://docs.openstack.org/developer/gnocchi/rest.html

Revision history for this message
Yan Xing'an (yanxingan) wrote :

Barbican[1] is a REST API designed for the secure storage, provisioning and management of secrets. It is aimed at being useful for all environments, including large ephemeral Clouds.

I got an information from barbican team, that the projects which use barbican include: nova, neutron-laas, cinder, and magnum.

I will think about realization of invoking barbican in tacker, referring to these project.

[1] https://github.com/openstack/barbican

Revision history for this message
Bob Haddleton (bob-haddleton) wrote :

I think it's reasonable to support using Barbican when it is deployed and in the service catalog. When it is not available we should fallback to using local disk.

I would be reluctant to require Barbican for all installations of Tacker.

Revision history for this message
Yan Xing'an (yanxingan) wrote :
Changed in tacker:
status: New → In Progress
Changed in tacker:
milestone: pike-1 → pike-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tacker-specs (master)

Reviewed: https://review.openstack.org/445543
Committed: https://git.openstack.org/cgit/openstack/tacker-specs/commit/?id=f2876e22c2be05346098ee5a30310daeb3f4ff52
Submitter: Jenkins
Branch: master

commit f2876e22c2be05346098ee5a30310daeb3f4ff52
Author: Yan Xing'an <email address hidden>
Date: Tue Mar 14 08:46:20 2017 -0700

    encrypt vim credentials with barbican

    Partial-bug: #1667652
    Change-Id: I32f0c5d87c782aaaa46f1965db9bdf55cc19bae5

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tacker (master)

Fix proposed to branch: master
Review: https://review.openstack.org/465080

Changed in tacker:
milestone: pike-2 → pike-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tacker (master)

Reviewed: https://review.openstack.org/465080
Committed: https://git.openstack.org/cgit/openstack/tacker/commit/?id=07428d498501c58fa8dc618fc6f4dd84643891db
Submitter: Jenkins
Branch: master

commit 07428d498501c58fa8dc618fc6f4dd84643891db
Author: Yan Xing'an <email address hidden>
Date: Wed Jun 7 03:03:02 2017 -0700

    Support to use barbican to encode vim password

    1. Add new option 'use_barbican' in config file [vim_keys] section,
       default value is False for Pike.
    2. Use fernet to encrypt vim password, and save the fernet key into
       barbican as a secret.
    3. Add new fields 'key_type', 'secret_uuid' into VimAuth.auth_cred
       json string. secret_uuid is masked in vim-show or vim-list response.
    4. Set the vim's default 'shared' value to False,
       vim can only be used by who created it.
    5. Add a devref to show how to test.
    6. Add a release note.

    Implements: blueprint encryption-with-barbican
    Partial-bug: #1667652

    Change-Id: I5c779041df5a08a361b9aaefac7d241369732551

Changed in tacker:
status: In Progress → Fix Committed
Changed in tacker:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers