Spec for encryption of Murano PL properties

Change-Id: I4b9669ef5337dde671b501368ae5ca785e651af5
Spec-for-blueprint: allow-encrypting-of-muranopl-properties
This commit is contained in:
Paul Bourke 2017-05-31 14:00:47 +01:00
parent d4db3d5683
commit 8d318a1e62
1 changed files with 175 additions and 0 deletions

View File

@ -0,0 +1,175 @@
..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
============================
Encrypt Murano PL Properties
============================
https://blueprints.launchpad.net/murano/+spec/allow-encrypting-of-muranopl-properties
Currently the object model for an application in Murano is stored in the Murano
database as plain text. This can pose a security risk for applications whose
object model contains passwords or other sensitive data.
Problem description
===================
Many Murano applications request input data from users, which in most cases is
entered via the murano dashboard. Currently all input from users is stored in
database in plain text. In the case of a MySQL [#]_ app for example, the
password that the user enters will be stored in plain text in both the
``session`` and ``environment`` database tables. This info is available both to
the cloud admin, other users in the same project, and also to an attacker
should the database become compromised.
Proposed change
===============
This spec proposes to add a two new yaql functions; `encrypt_data` and
`decrypt_data`. The former will be processed at the dashboard stage, as it will
be applied to input fields presented to the user. `decrypt_data` will be
processed in the engine during app execution.
These functions will make use of Castellan [#]_ which is a generic
key manager interface for OpenStack. Castellan is designed to be used with a
variety of secret storage backends, the most common being Barbican [#]_. The
Castellan key manager is already being used by the Nova and Cinder project to
name two [#]_. Because Barbican is the default storage backend, Barbican and
Castellan will be referred to interchangeably for the rest of this document.
Alternatives
------------
Some questions have been raised as to the usefulness of Barbican as a whole
[#]_. Some community members are concerned with adding it as "yet another
dependency" to their project, while others have concerns about its integration
with Keystone with regards to secret storage.
With regards to dependency concerns, these functions will be optional to Murano.
If Castellan is not configured, an error message will be shown in Horizon
informing the user to contact their administrator if they wish to use apps
requiring encryption. The use of Castellan also helps here, as it gives
operators flexibility in which secret backend they wish to use. It should be
noted however that Castellan does not appear to currently provide any "dummy"
backend drivers [#]_.
With regards to security, the argument that Barbican is the common solution for
secret storage in OpenStack seems reasonable; security is something best left
to specialists in the field. If a flaw is discovered in Barbican, it can be
patched once by an operator and all projects using it will automatically
benefit.
Data model impact
-----------------
None
REST API impact
---------------
None
Versioning impact
-----------------
None
Other end user impact
---------------------
None
Deployer impact
---------------
Deployers wishing to use the new encryption functionality will be required to
deploy a key manager such as Barbican (it is worth noting Barbican may already
be available in some cloud environments in which case there would be minimal
impact).
The functionality will be made optional via a configuration item, hence
there will be no impact for deployers who don't wish to take advantage of this
feature.
Developer impact
----------------
Developers should be made aware of these functions via documentation, and also
how to use them.
Murano-dashboard / Horizon impact
---------------------------------
Will need to be updated to understand calls to `encrypt_data` in forms.
Implementation
==============
Assignee(s)
-----------
Primary assignee:
paul.bourke@oracle.com
Other contributors:
None
Work Items
----------
* Integrate Castellan into murano-dashboard.
* Add a `encrypt_data` function to the dashboard to make use of the above.
* Integrate Castellan into the murano engine.
* Add a `decrypt_data` function to the dashboard to make use of the above.
* Testing.
Dependencies
============
* Castellan
* Barbican
Testing
=======
* Appropriate unit and functional tests will need to be added.
* Potentially the tempest tests could be updated for full end-to-end testing
with Barbican.
Documentation Impact
====================
Deployment docs will need info on Barbican configuration for Murano and
murano-dashboard. MuranoPL Docs will also be needed on the new functions.
References
==========
.. [#] https://github.com/openstack/murano-apps/blob/master/MySQL/package/UI/ui.yaml
.. [#] https://github.com/openstack/castellan
.. [#] https://github.com/openstack/barbican
.. [#] https://review.openstack.org/#/c/247561/
.. [#] http://lists.openstack.org/pipermail/openstack-dev/2017-January/110192.html
.. [#] https://github.com/openstack/castellan/tree/stable/ocata/castellan/key_manager
* Cinder discussion around their alternative insecure key manager for Castellan:
http://lists.openstack.org/pipermail/openstack-dev/2016-January/083241.html
* Murano discussion around implementation details for this blueprint:
http://lists.openstack.org/pipermail/openstack-dev/2017-June/118290.html