Protect MySQL Replication Slave Password

Registered by Morgan Jones on 2014-06-24

The proposed initial implementation of replication for mysql relies on the password for the replication slave user to be stored in the taskmanager and guestagent configuration files. This is not too bad of a security risk, in general, as in order for a perpetrator to gain access to the password, they would first need to gain access to the OpenStack nodes hosting the taskmanager and/or guestagent, in which case they would have access to far more damaging information than the replication slave password.

We should investigate having each replication master generating a unique password for each set of slaves that replicate from it, then using some encryption technology (Barbican?) to share the password with the slaves that will replicate from it.

This could also be part of a larger project to investigate how to protect all of the other secrets used in OpenStack, perhaps in connection with the integration of Barbican.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Morgan Jones
Direction:
Needs approval
Assignee:
None
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Nikhil Manchanda on 2014-12-09

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.