one icon indicating copy to clipboard operation
one copied to clipboard

Published 20 hours ago • verified publisher icon OpenNebula

Password / Credential vault

Open modir opened this issue 3 years ago • 3 comments

Description At the moment we can only store the ssh public key in our profile. I would like to extend this and have something like a general vault similar to the "Azure key vault". This way we could inject more than just public keys into VMs.

Use case As an example we could inject SSL certificates as well.

Interface Changes At the moment we already have under "Storage > Files" some contextualization files. I could imagine that we can upload the ssh keys and SSL certificates there as files. Or it could be a form where we copy / paste the content in. both fine for me.

And of course the API is then needed as well for the cases where the VM itself has to download the files with a script.

Progress Status

  • [ ] Branch created
  • [ ] Code committed to development branch
  • [ ] Testing - QA
  • [ ] Documentation
  • [ ] Release notes - resolved issues, compatibility, known issues
  • [ ] Code committed to upstream release/hotfix branches
  • [ ] Documentation committed to upstream release/hotfix branches

modir avatar Jun 29 '21 07:06 modir

Hi @modir

Very interesting, indeed. OpenNebula can encrypt attributes, we are currently using this as a "vault" for drivers (e.g. passwords to access a service is encrypted there). Only users that can show (in onevm show sense) can access the secret.

I think this can fit your case, with some extensions. For example:

ONE_VAULT = [
    SSL_CERTIFICATE = "....",
    DB_PASSWORD = "....",
    GH_TOKEN = "..."
]

This ONE_VAULT is an special attribute that it is encrypted and only shown in plain text through onevm show operation if user has access and request it unencrypted. The vault will be added in plain to the context VM so you can use it from inside the VM.

Another alternative (maybe complementary) is to add support to encrypted files to the File datastore, Those files will be encrypted with OPenNebula key and then added unencrypted to context device.

What do you think?

rsmontero avatar Jun 29 '21 07:06 rsmontero

Hi @rsmontero Interesting indeed. The first point is roughly what I was thinking about. Ideally though with a nice GUI and in some way more "global". This is now bound to a VM or templates. If I understood it correctly.

modir avatar Jun 29 '21 08:06 modir

Aha, ok, we can put it as part of the user template and inject that into the context. Like SSH keys. It probably makes more sense....

rsmontero avatar Jun 29 '21 08:06 rsmontero