Adventures of a Small Time OpenStack Sysadmin relate the experience of converting a small VMware cluster into two small OpenStack clusters, and the adventures and friends I made along the way.
Adventures of a Small Time OpenStack Sysadmin Chapter 038 - Barbican Secret Service
First, links to some reference docs I used:
Main Documentation Page
https://docs.openstack.org/barbican/yoga/
API Guide
https://docs.openstack.org/api-guide/key-manager/
CLI Commands
https://docs.openstack.org/python-openstackclient/yoga/cli/plugin-commands/barbican.html
globals.d config
It's not much work to install Barbican on Kolla-Ansible:
File /etc/kolla/globals.d/barbican.yml:
enable_barbican: "yes"
As seen at:
Security and hardware gadgets
The default, as you can see in /etc/kolla/barbican-api/barbican.conf is to use simple_crypto, which boils down to storing your secrets in an encrypted file. Not as secure as a hardware solution but more secure than post it notes on your monitor. I don't currently own a cool crypto storage hardware gadget, so on my cluster barbican is pretty much just a front end to a key-value store.
CLI
Install the CLI add on for Barbican using the installcli.sh script as seen at this link:
https://gitlab.com/SpringCitySolutionsLLC/openstack-scripts/-/blob/master/installcli/installcli.sh
Or run something like:
pip install python-barbicanclient -c https://releases.openstack.org/constraints/upper/yoga
Barbican Demonstration
A suite of demo scripts can be found in openstack-scripts:
https://gitlab.com/SpringCitySolutionsLLC/openstack-scripts/-/tree/master/demos/barbican
Watch this sequence of demo scripts:
./list.sh
OK no secrets stored, just get an "[]" as a response.
./store.sh
"message_for_julius" gets stored returning a href. Its stored as 256 bit AES which is marginally better than ROT-13 or a post it note on a monitor.
./list.sh
Ah I see I have a stored secret in my account now. This could have been the root password of a newly installed server or something.
./get.sh
This tiny little script pulls a list of all my accessible secrets, finds the href for the one named "message_for_julius", does a "secret get" on that href to see the details of that secret, then does a secret get --payload to read the payload.
I won't give away the message for Julius because I don't want to spoil a 2000 year old story, just read your Plutarch and you'll get the idea. Maybe crossing the Rubicon River was not the best decision, or maybe he had no better alternative, whatever.
./acl-get.sh
So, looking at the output, anyone in the project has read access on the message named message_to_julius. This is good news if Julius is a member of the project, bad news if one of the conspirators is a member. Maybe we should limit access to one user, hopefully an account Julius has access to.
./acl-set.sh
This takes away project-wide read access to the message and only lets one user, that being admin, read the secret. I don't know Julius Caesar's login username LOL.
The correct ACL for your secrets depends entirely on the purpose of the secret, I suppose.
./acl-get.sh
See the above paragraph, acl-get displays what acl-set did.
./get.sh
Assuming you're logged in as admin, you can still read this secret. Otherwise, Barbican will not give you access. Unless Julius is logged in as admin, he can't read this secret anymore.
./delete.sh
Well, this secret message is about two thousand years too late, should have sent a messenger before March 15 44 BC, but next day airmail postage used to be so expensive in the late Roman Republic era, excuses excuses etc.
./list.sh
Returns "[]" no secrets stored right now.
Tomorrow, a chill day of Horizon and Keystone.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.