Allow encrypting selected muranopl properties

Registered by Kirill Zaitsev on 2015-09-23

Currently muranopl properties in Object Model are always stored as is. That might pose security threat for sertain applications, that want to store passwords or other sensitive information in muranopl properties.
This means, that users from the same tenant as well as admin users currently have full access to that information.
This also means, that potential attacker will gain access to all that information as soon he gains access to db

One option to fix this would be to somehow mark certain properties as encrypted and encrypt/decrypt them on api/engine side with a symmetrical algorithm (des/aes/3des), storing the key on both sides. (This would not prevent admin from having access to that info, but would prevent others from seeing it.)

This might not be the only solution, but looks like the most obvious. Meta attributes might be required to implement this BP

Blueprint information

Status:
Not started
Approver:
Felipe Monteiro
Priority:
Medium
Drafter:
Kirill Zaitsev
Direction:
Approved
Assignee:
None
Definition:
New
Series goal:
Accepted for pike
Implementation:
Not started
Milestone target:
milestone icon next

Related branches

Sprints

Whiteboard

FYI, have began work on this blueprint. Posted some thoughts on implementation at http://lists.openstack.org/pipermail/openstack-dev/2017-May/117488.html - would appreciate feedback. - pbourke

Gerrit topic: https://review.openstack.org/#q,topic:bp/allow-encrypting-of-muranopl-properties,n,z

Addressed by: https://review.openstack.org/471772
    Implement encryption for MuranoPL object model

Addressed by: https://review.openstack.org/475416
    Add encryptData yaql function

Addressed by: https://review.openstack.org/481894
    Fix create environment TypeError

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.