-
-
Notifications
You must be signed in to change notification settings - Fork 745
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secrets in kv store phase #0 #2631
Conversation
I am ok with 400. I guess we are saying for the current configuration state this request is bad. |
@@ -57,8 +76,39 @@ class KeyValuePairAPI(BaseAPI): | |||
'additionalProperties': False | |||
} | |||
|
|||
@staticmethod | |||
def _setup_crypto(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would imagine encryption and decryption for kvp being handled in the persistence or the db modules. This way its not an API only feature and it would be possible to get decrypted keys even if not using the API i.e. from services do not use the API layer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I can move the code around when we address that.
Would it be safer to not support a list level decrypt? I wonder if there is value in providing this in the first place. |
Overall +1 to design and impl. Once you add some tests and docs around this good to go :) |
Well, with RBAC this might get even harder but it is something we need to solve I think. I was debating it myself too. Let's wait for another input to break the tie. |
'Initialization Vector' per run and the IV is part of the output. | ||
|
||
:param encrypt_key: Symmetric AES key to use for encryption. | ||
:type encrypt_key: :class:`keyczar.keys.AesKey` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for this method does it matter if its an AesKey? Is there is higher interface/superclass?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep. Unfortunately it does. The Encrypt method is on the key object which is keyczar and AES specific implementation.
Keyczar already provides a tool for managing and rotating keys. Do you plan to build a wrapper around that or something else? |
@@ -0,0 +1 @@ | |||
{"hmacKey": {"hmacKeyString": "685EWJ8U2U_c3Ulv9ibB6aa0Y9aYm-0bCwe2mqjLJuw", "size": 256}, "aesKeyString": "eKGFrfNEUhAgX0uofaU1wQ", "mode": "CBC", "size": 128} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For fixtures that's a fine path, but for actual key on production, we should advise users to put in a path with limited access (e.g. /etc/private or similar).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, will say that in docs.
I'm not totally against this approach, but as mentioned on Slack, I would prefer to use public key cryptography. This will make it easier for us to eventually move to a safer model, where we have a single service (or similar) which is responsible for decrypting data (this would be the only service which has access to the private key, reducing the surface area), but other services (e.g. API) will still be able to encrypt data using the public key... |
We can swap it out if needed. I don't see this as a big problem now that we have API & CLI changes. |
@mock.patch.object( | ||
models.ResourceManager, 'get_by_id', | ||
mock.MagicMock(return_value=None)) | ||
def test_command_get_by_name(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed this bogus test. The underlying code was anyways calling get_by_id and we are already testing that in previous test case.
Correct - a wrapper. Some argparse + keyczar + fwrite() |
👍 for design, thanks! didn't look into impl. yet.
The use case is, for instance, migration by admin to another node. As admin, I dump all KV with |
Would migrating the encrypted data as well as the key work just as well? |
Re saving and serializing encrypted data - I can't recall if Keyczar already does that, but if doesn't we should update serialized data so it includes header with the encryption information (which algorithm was used, etc.). This will makes this such as migrating to a different algorithm or similar easier. |
@@ -240,7 +240,8 @@ def query(self, **kwargs): | |||
if 'limit' in kwargs and kwargs.get('limit') <= 0: | |||
kwargs.pop('limit') | |||
token = kwargs.get('token', None) | |||
params = {} | |||
params = kwargs.get('params', {}) | |||
print(params) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably need to remove print here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed it in 406a701.
It does not. It assumes symmetric crypto key to be always AES. The library doesn't support other symmetric crypto algos. https://github.com/google/keyczar/blob/master/python/src/keyczar/keys.py#L425 |
What?
This PR allows encrypted items to be stored in key value store. The encryption is symmetric AES256 encryption and we use keyczar to do this. The encryption key is global for all keys. So StackStorm admin can decrypt all the keys. However, with RBAC, we'll make sure only intended user (and admin) can decrypt the user's keys.
TODO
CLI examples
PUT
GET
List
API examples
No secret case
Secret case. No encryption key setup by admin
XXX: Note I return 400 BAD REQUEST. Opinions welcome.
Secret case. Encryption key setup.