Groups for Secrets
Users should be able to create groups and assign secrets to their groups.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Huseyin Gedikli
- Direction:
- Needs approval
- Assignee:
- Huseyin Gedikli
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- Douglas Mendizábal
Related branches
Related bugs
Sprints
Whiteboard
This would be awesome. We have our own keyserver we have been using that does something similar. We haven't been able to use barbican yet since it hasn't had the required functionality yet. It has the following usage:
Each tanant has unique groups. Files/Keys can be assigned to groups. Instances can be tagged with metadata like "keyserver_groups = "group1 group2 group3"
We implemented a vendor metadata plugin that looks at the keyserver_groups metadata for a given instance, and returns a token that allows downloading only keys from those groups, and the key server's url.
The instance's user-data script can then fetch the vendor metadata, and curl/wget all secrets it needs to relyably build itself.
Things are kept more secure this way since a tenant's vm can not download just any key the tenant has access to, just the ones the user has specifically given it access to via metadata. The user also does not have to mess with generating accounts and binding groups to them, the nova plugin handles token generation automatically, so its very easy to use.
