Browse Source

Keep sensitive information out of node attributes

Sensitive information stored in data bags (such as passwords) should
not be stored as node attributes, because they are persisted back to
the server and can therefore be easily retrieved.

Change-Id: I26c1fc1d49a86d8f9ccb6f1a80af90a781c1a80c
changes/41/112141/3
John Warren 4 years ago
parent
commit
979aeb5fa1
1 changed files with 178 additions and 0 deletions
  1. 178
    0
      specs/juno/common/no-secret-attributes.rst

+ 178
- 0
specs/juno/common/no-secret-attributes.rst View File

@@ -0,0 +1,178 @@
1
+=================================================
2
+Keep sensitive information out of node attributes
3
+=================================================
4
+
5
+https://blueprints.launchpad.net/openstack-chef/+spec/no-secret-attributes
6
+
7
+Sensitive information such as passwords should not be stored as node
8
+attributes, because they are persisted back to the server and can therefore
9
+be easily retrieved.
10
+
11
+Problem description
12
+===================
13
+
14
+Wrapped recipes (e.g. mysql::server) use node attributes for retrieving
15
+sensitive information, such as passwords associated with privileged
16
+accounts.  This type of information is specified via items in encrypted
17
+data bags, but because node attributes are involved, the security provided
18
+by the encryption mechanism can easily be defeated by simply retrieving the
19
+node attributes from the server.
20
+
21
+For example (from mysql-server):
22
+
23
+::
24
+
25
+  if node['openstack']['db']['root_user_use_databag']
26
+      super_password = get_password 'user', node['openstack']['db']['root_user_key']
27
+      node.set_unless['mysql']['server_root_password'] = super_password
28
+  else
29
+      super_password = node['mysql']['server_root_password']
30
+  end
31
+
32
+The password is retrieved from a (possibly encrypted) data bag and stored
33
+into a node attribute to be consumed downstream by the :code:`server`
34
+recipe in the :code:`mysql` cookbook.  After the node is converged, all
35
+someone needs to do to retrieve the password as clear text is execute
36
+:code:`knife node edit NODE_NAME`, thereby defeating a data bag's encryption
37
+capabilities.
38
+
39
+Proposed change
40
+===============
41
+
42
+The proposed solution is to operate on server resources directly or use
43
+run_state to set passwords, depending on which is available for use in
44
+a given recipe.
45
+
46
+Again, using MySQL as an example (operating directly on resource):
47
+
48
+::
49
+
50
+  if node['openstack']['db']['root_user_use_databag']
51
+      super_password = get_password 'user', node['openstack']['db']['root_user_key']
52
+  else
53
+      super_password = node['mysql']['server_root_password']
54
+  end
55
+
56
+  mysql_service node['mysql']['service_name'] do
57
+    server_root_password super_password
58
+    ...
59
+  end
60
+
61
+The password is stored only in a local variable and directly assigned to the
62
+:code:`mysql_service` resource's :code:`server_root_password` attribute.
63
+The :code:`mysql::server` recipe is not invoked and all of the other resource
64
+attributes are set directly as well (indicated via :code:`...`). Since the
65
+password is never stored as a node attribute, it cannot be retrieved via
66
+:code:`knife node edit NODE_NAME`. Note that other resource attributes (for
67
+instance :code:`port`) can still be set to node-attribute values and thus
68
+their default values can still be specified in :code:`attributes/default.rb`.
69
+Also note that the above example shows that a node attribute can still be
70
+used to store password information, if that is what the user wants to do.
71
+This is done by leaving the :code:`['openstack']['db']['root_user_use_databag']`
72
+set to its default value of :code:`false`.
73
+
74
+Alternatives
75
+------------
76
+
77
+One alternative would be to have the wrapped recipes fall back to default
78
+attribute values and set the resource attributes directly, as described at
79
+https://sethvargo.com/changing-chef-resources-at-runtime/.  However, this
80
+is arguably a non-strategic workaround.
81
+
82
+Data model impact
83
+-----------------
84
+
85
+none
86
+
87
+REST API impact
88
+---------------
89
+
90
+none
91
+
92
+Security impact
93
+---------------
94
+
95
+Security would be improved because passwords would no longer be accessible
96
+as node attributes.
97
+
98
+Notifications impact
99
+--------------------
100
+
101
+none
102
+
103
+Other end user impact
104
+---------------------
105
+
106
+None. The recipes would be backward compatible because the mechanisms for
107
+specifying the databag type (encrypted or standard) and name and related
108
+node attributes needed to use data bags would remain unchanged.  The only
109
+thing changing would be the mechanics of how the data contained in data
110
+bags is populated into the resources created by the recipes.  Note that
111
+end users would still have the option to not use data bags at all.
112
+
113
+Performance Impact
114
+------------------
115
+
116
+none
117
+
118
+Other deployer impact
119
+---------------------
120
+
121
+none
122
+
123
+Developer impact
124
+----------------
125
+
126
+none
127
+
128
+Implementation
129
+==============
130
+
131
+Assignee(s)
132
+-----------
133
+
134
+* jswarren
135
+
136
+Work Items
137
+----------
138
+
139
+The known impacted recipes are:
140
+
141
+* cookbook-openstack-ops-database::mysql-server
142
+* cookbook-openstack-ops-database::postgresql-server
143
+* cookbook-openstack-ops-messaging::rabbitmq-server
144
+
145
+Dependencies
146
+============
147
+
148
+The cookbooks involved in setting up the resources in question need to
149
+provide a mechanism for setting passwords either as a resource attribute
150
+that can be set directly or as a run_state attribute.  Other mechanisms
151
+that do not expose passwords as node attributes should also be acceptable.
152
+
153
+
154
+Testing
155
+=======
156
+
157
+The cookbooks in question would need to be tested to ensure that when
158
+data bags are used to specify passwords that the password values are not
159
+reflected in the attributes (if any) used for setting passwords.  In other
160
+words, a given referenced cookbook or recipe might still allow the use
161
+of node attributes to set passwords in addition to the above-mentioned
162
+possible alternatives.  However, when node attributes are not used to
163
+specify passwords, the passwords must then not be stored as node
164
+attributes by the referenced recipes.
165
+
166
+
167
+Documentation Impact
168
+====================
169
+
170
+Documentation should not change, since the blackbox behavior of the recipes
171
+should remain unchanged.  The documentation associated with the referenced
172
+resource recipes may need to change when accommodations are made for
173
+alternative means of setting passwords, but those changes are orthogonal to
174
+the work described here.
175
+
176
+References
177
+==========
178
+

Loading…
Cancel
Save