tacker

Remove VIM credential storage problem on local file system

Bug #1667652 reported by yong sheng gong on 2017-02-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tacker	Fix Released	Medium	Yan Xing'an	tacker pike-3 "p3"

Bug Description

To set a shared file system for tacker server to store the VIM fernet key is not a nice way.
we need a way to storage it or refactor the mechanism for VIM credential storage.

Tags:

Revision history for this message

yong sheng gong (gongysh) wrote on 2017-02-24:

https://bugs.launchpad.net/tacker/+bug/1562186
related bug 1562186

tags:	added: multi-service
tags:	added: multi-services removed: multi-service
Changed in tacker:
importance:	Undecided → Medium
milestone:	none → pike-1

Yan Xing'an (yanxingan) on 2017-03-01

Changed in tacker:
assignee:	nobody → Yan Xing'an (yanxingan)

Revision history for this message

Yan Xing'an (yanxingan) wrote on 2017-03-08:

Gnocchi is a multi-tenant timeseries, metrics and resources database. It provides an HTTP REST interface to create and manipulate the data. It is designed to store metrics at a very large scale while providing access to metrics and resources information and history.

The Gnocchi project was started in 2014 as a spin-off of the OpenStack Ceilometer project to address the performance issues that Ceilometer encountered while using standard databases as a storage backends for metrics.

The metrics include instance CPU usage, router network bandwidth usage, and the number of images that Glance is storing,etc...

Wile VIM credential is not a resource entity that can be measured, so I think gnocchi is not an appropriate way to store VIM credential.

Code:
https://github.com/openstack/gnocchi
Architecture:
https://docs.openstack.org/developer/gnocchi/architecture.html
Rest API doc:
https://docs.openstack.org/developer/gnocchi/rest.html

Revision history for this message

Yan Xing'an (yanxingan) wrote on 2017-03-13:

Barbican[1] is a REST API designed for the secure storage, provisioning and management of secrets. It is aimed at being useful for all environments, including large ephemeral Clouds.

I got an information from barbican team, that the projects which use barbican include: nova, neutron-laas, cinder, and magnum.

I will think about realization of invoking barbican in tacker, referring to these project.

[1] https://github.com/openstack/barbican

Revision history for this message

Bob Haddleton (bob-haddleton) wrote on 2017-03-13:

I think it's reasonable to support using Barbican when it is deployed and in the service catalog. When it is not available we should fallback to using local disk.

I would be reluctant to require Barbican for all installations of Tacker.

Revision history for this message

Yan Xing'an (yanxingan) wrote on 2017-03-13:

cinder:
https://review.openstack.org/#/c/104339/
nova:
https://review.openstack.org/#/c/104001/
neutron-laas:
https://review.openstack.org/#/c/146210/

OpenStack Infra (hudson-openstack) on 2017-03-14

Changed in tacker:
status:	New → In Progress

yong sheng gong (gongysh) on 2017-04-06

Changed in tacker:
milestone:	pike-1 → pike-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-19: Fix merged to tacker-specs (master)

Reviewed: https://review.openstack.org/445543
Committed: https://git.openstack.org/cgit/openstack/tacker-specs/commit/?id=f2876e22c2be05346098ee5a30310daeb3f4ff52
Submitter: Jenkins
Branch: master

commit f2876e22c2be05346098ee5a30310daeb3f4ff52
Author: Yan Xing'an <email address hidden>
Date: Tue Mar 14 08:46:20 2017 -0700

encrypt vim credentials with barbican

Partial-bug: #1667652
Change-Id: I32f0c5d87c782aaaa46f1965db9bdf55cc19bae5

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-16: Fix proposed to tacker (master)

Fix proposed to branch: master
Review: https://review.openstack.org/465080

yong sheng gong (gongysh) on 2017-06-07

Changed in tacker:
milestone:	pike-2 → pike-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-03: Fix merged to tacker (master)

Reviewed: https://review.openstack.org/465080
Committed: https://git.openstack.org/cgit/openstack/tacker/commit/?id=07428d498501c58fa8dc618fc6f4dd84643891db
Submitter: Jenkins
Branch: master

commit 07428d498501c58fa8dc618fc6f4dd84643891db
Author: Yan Xing'an <email address hidden>
Date: Wed Jun 7 03:03:02 2017 -0700

Support to use barbican to encode vim password

    1. Add new option 'use_barbican' in config file [vim_keys] section,
       default value is False for Pike.
    2. Use fernet to encrypt vim password, and save the fernet key into
       barbican as a secret.
    3. Add new fields 'key_type', 'secret_uuid' into VimAuth.auth_cred
       json string. secret_uuid is masked in vim-show or vim-list response.
    4. Set the vim's default 'shared' value to False,
       vim can only be used by who created it.
    5. Add a devref to show how to test.
    6. Add a release note.

Implements: blueprint encryption-with-barbican
Partial-bug: #1667652

Change-Id: I5c779041df5a08a361b9aaefac7d241369732551

yong sheng gong (gongysh) on 2017-08-10

Changed in tacker:
status:	In Progress → Fix Committed

dharmendra (dharmendra-kushwaha) on 2018-06-04

Changed in tacker:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.