Difference between revisions of "Trove/Barbican-integration"
< Trove
(Created page with "= Barbican integration = == Barbican description == Barbican is a tenant aware key and secrets management service for cloud applications, including symmetric and asymmetric k...") |
(→Impacts) |
||
Line 35: | Line 35: | ||
import abc | import abc | ||
import six | import six | ||
− | |||
@six.add_metaclass(abc.ABCMeta) | @six.add_metaclass(abc.ABCMeta) | ||
class BaseSecurityWorkflow(object): | class BaseSecurityWorkflow(object): | ||
− | |||
@abc.abstractmethod | @abc.abstractmethod | ||
def _create_key(self, | def _create_key(self, | ||
Line 50: | Line 48: | ||
Creates a key by given parameters | Creates a key by given parameters | ||
""" | """ | ||
− | |||
@abc.abstractmethod | @abc.abstractmethod | ||
def get_backup_encyption_key(self): | def get_backup_encyption_key(self): | ||
"""Implements backup encryption password delivery.""" | """Implements backup encryption password delivery.""" | ||
− | |||
@abc.abstractmethod | @abc.abstractmethod | ||
def get_replication_user_key(self): | def get_replication_user_key(self): | ||
"""Implements replication user key delivery.""" | """Implements replication user key delivery.""" |
Revision as of 13:23, 15 August 2014
Contents
Barbican integration
Barbican description
Barbican is a tenant aware key and secrets management service for cloud applications, including symmetric and asymmetric keys, raw secrets and support for public and private SSL certificates. See Barbican at Launchpad.
Description
Trove uses encryption/decryption for backups (if encryption enabled). For this workflow Trove uses:
- Algorithm: AES
- Mode: cbc
- Key lenght: 256
- Payload content type: application/octet-stream
For performing encyption/decryption Trove uses:
- openssl util
Justification/Benefits
Justification
Barbican designed to provide Secret delivery and storage. By the default, Barbican provides AES order with key length 256 bit and CBC mode.
Benefits
- Trove would no longer need to store backup encyption password in plain text guest configuration file (which seems to be a security issue). Same takes place for replication user password.
- Advanced OpenStack integration.
Impacts
Existing code will be refactored to extract Security workflow into it's own package:
- trove/security
Abstract layer for Security workflow will be proposed:
- BaseSecurityWorkflow
- Implementation
import abc import six @six.add_metaclass(abc.ABCMeta) class BaseSecurityWorkflow(object): @abc.abstractmethod def _create_key(self, name, alg='AES', bit_length=256, mode=None, payload_content_type= "application/octet-stream"): """ Creates a key by given parameters """ @abc.abstractmethod def get_backup_encyption_key(self): """Implements backup encryption password delivery.""" @abc.abstractmethod def get_replication_user_key(self): """Implements replication user key delivery."""