| *** mnasiadka has quit IRC | 00:57 | |
| *** mnasiadka has joined #openstack-barbican | 00:58 | |
| *** tosky has quit IRC | 01:01 | |
| *** jmlowe has quit IRC | 03:36 | |
| *** jmlowe has joined #openstack-barbican | 03:39 | |
| *** tkajinam has quit IRC | 08:31 | |
| *** tkajinam has joined #openstack-barbican | 08:32 | |
| *** jaosorior has joined #openstack-barbican | 08:35 | |
| *** xek_ has joined #openstack-barbican | 08:58 | |
| *** tosky has joined #openstack-barbican | 09:05 | |
| *** jmlowe has quit IRC | 14:02 | |
| *** tkajinam has quit IRC | 14:07 | |
| *** jmlowe has joined #openstack-barbican | 14:24 | |
| *** jmlowe has quit IRC | 14:31 | |
| *** jmlowe has joined #openstack-barbican | 14:42 | |
| *** jmlowe has quit IRC | 14:42 | |
| *** jmlowe has joined #openstack-barbican | 14:43 | |
| *** jmlowe has quit IRC | 14:50 | |
| *** jmlowe has joined #openstack-barbican | 14:52 | |
| *** jmlowe has quit IRC | 14:54 | |
| *** jmlowe has joined #openstack-barbican | 15:17 | |
| *** jmlowe has quit IRC | 15:29 | |
| *** jmlowe has joined #openstack-barbican | 15:51 | |
| *** jmlowe has quit IRC | 16:01 | |
| *** ecsantos has joined #openstack-barbican | 16:01 | |
| ecsantos | hi! i have some questions about barbican/castellan. can i ask someone here? | 16:09 |
|---|---|---|
| *** jmlowe has joined #openstack-barbican | 16:17 | |
| redrobot | hi ecsantos! You're in the right place. | 16:19 |
| ecsantos | redrobot: thank you! i'm contributing to openstack/manila. we support security services, i.e., ldap, kerberos and active directory (Microsoft). our passwords are currently available in plain text in the manila database; we don't want that. i came across barbican and castellan and thought they might be a viable option. my use case: encrypt secrets from users, so that even admins can't see the users' passwords in plain text. my concerns: | 16:27 |
| ecsantos | reading the castellan docs, it appears that anyone with root access can change the castellan.conf file and create/recover/delete secrets. is there a way to make this work? | 16:27 |
| redrobot | ecsantos, so, the way that both Castelan and Barbican work is that they allow you to store all secrets, but you still need to have credentials to access the secret storage | 16:33 |
| redrobot | ecsantos, we do not protect agains > root access to configuration that contains the credentials to access barbican and/or castellan < | 16:33 |
| redrobot | there's all kinds of nefarious stuff that an attacker could do with root access to the system. | 16:34 |
| redrobot | There's ways to add additionaly protection, but it is outside the scope of Castellan and/or Barbican | 16:35 |
| redrobot | e.g. Manila could ask for the credentials at startup and have them in memory instead of on disk, but even then an attacker with root can still dump memory | 16:35 |
| redrobot | not sure if that's helpful, ecsantos | 16:36 |
| ecsantos | that was very helpful, redrobot, thank you. it makes sense, i think i'll deal with the root access issue separately. | 16:46 |
| ecsantos | where do castellan stores the secrets exactly? | 16:46 |
| redrobot | ecsantos, castellan is basically just a shim between openstack services and _some_ secret manager. Typically you would use Castellan->Barbican, but Castellan->Hashicorp Vault is also an option. | 16:57 |
| *** jaosorior has quit IRC | 17:01 | |
| ecsantos | oh i see. Barbican stores them in a SQLAlchemy DB, the same as the rest of the OpenStack services, right? | 17:15 |
| JohnnyRainbow | is there any nice article how to integrate vault with barbican/openstack? So far in openstack docs I haven't found too much details. Appreciate any help! | 17:47 |
| *** jmlowe has quit IRC | 17:58 | |
| *** jmlowe has joined #openstack-barbican | 18:18 | |
| *** raildo has quit IRC | 18:21 | |
| *** jmlowe has quit IRC | 18:22 | |
| *** jmlowe has joined #openstack-barbican | 18:24 | |
| *** ecsantos has quit IRC | 18:33 | |
| *** raildo has joined #openstack-barbican | 18:43 | |
| *** raildo has quit IRC | 18:45 | |
| *** raildo has joined #openstack-barbican | 18:48 | |
| *** jmlowe has quit IRC | 18:52 | |
| *** jmlowe has joined #openstack-barbican | 19:06 | |
| *** jmlowe has quit IRC | 19:09 | |
| *** jmlowe has joined #openstack-barbican | 20:35 | |
| *** raildo has quit IRC | 21:59 | |
| *** tkajinam has joined #openstack-barbican | 22:00 | |
| *** xek_ has quit IRC | 23:02 | |
| *** tosky has quit IRC | 23:54 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!