1 files changed, 69 insertions, 0 deletions
diff --git a/meta-openstack/Documentation/README.barbican b/meta-openstack/Documentation/README.barbican
new file mode 100644
index 0000000..59eedea
--- /dev/null
+++ b/meta-openstack/Documentation/README.barbican
@@ -0,0 +1,69 @@
+Summary
+=======
+This document is intended to provide an overview of the implementation
+details with the current release of Barbican.
+Limitation 1: No authorization required for retrieving secrets
+=============================================================
+The current implementation of Barbican allows secrets that are stored using
+authentication to be retrieved without authentication.  Thus, all stored
+secrets are available to anyone with access to the system.
+An example of this, can be seen from running the following commands, using
+the barbicanclient:
+$ barbican --os-username admin --os-password not-valid secret store \
+ -n mysecret -p 'top secret data' -t 'text/plain'
+returns: a failure as the username and password are not correct
+$ barbican --os-username admin --os-password password secret store \
+ -n mysecret -p 'top secret data' -t 'text/plain'
+returns: [the address retrieve the secret]
+$ barbican --no-auth secret get --decrypt [address returned above]
+returns: top secret data 
+Limitation 2: Integration with Keystone authentication
+=======================================================
+Introduced in the Grizzly release of OpenStack, Keystone by default uses
+PKI tokens as opposed to UUID tokens.  PKI tokens are much larger then UUID
+tokens (> 6000 bytes versus 16 bytes).  Without changing the maximum packet
+size, PKI tokens are too large to fit into a Barbican request packet.  The
+uWSGI maximum packet size has been increased to the maximum of 65355 bytes
+(from the default of 4096 bytes) in order to support PKI tokens by default.
+The larger PKI token size will increase the network load due to the larger
+packets that are sent when authentication is enabled.
+When using Barbican with Keystone authentication it is a known problem that
+due to the varying length of the PKI token secret size for Barbican has no
+fixed maximum.  There are two solutions to this problem:
+* Don't use Keystone authentication when storing secrets with Barbican
+* Change Keystone to revert back using UUID tokens instead of PKI tokens
+  (See next section below for the security implications of doing this)
+Changing Keystone to use UUID tokens
+====================================
+PKI tokens increase security by increasing the token size versus using UUID
+tokens. Reverting back to UUID tokens fixes the problem described above.
+However, the disadvantage is that you loose the security PKI tokens provide
+to all resources that use Keystone for authentication purposes, including
+Barbican.
+To have Keystone use UUID as tokens, change the bitbake recipe 
+(python-keystone_git.bb) by setting the TOKEN_FORMAT variable to a value of
+"UUID" and recompile. ie. Change the line TOKEN_FORMAT ?= "PKI" to
+TOKEN_FORMAT="UUID" in the python-keyston_git.bb file.
+Security Implications
+=====================
+* UUID tokens are shorter in length then UUID tokens, thus they are more
+  susceptible to brute force attacks.
+* Changing Keystone to use UUID tokens affects all system services that
+  rely on Keystone (for example, the Horizon web interface)

diff --git a/meta-openstack/Documentation/README.barbican b/meta-openstack/Documentation/README.barbican new file mode 100644 index 0000000..59eedea --- /dev/null +++ b/meta-openstack/Documentation/README.barbican
@@ -0,0 +1,69 @@
	1	Summary
	2	=======
	3
	4	This document is intended to provide an overview of the implementation
	5	details with the current release of Barbican.
	6
	7
	8	Limitation 1: No authorization required for retrieving secrets
	9	=============================================================
	10
	11	The current implementation of Barbican allows secrets that are stored using
	12	authentication to be retrieved without authentication. Thus, all stored
	13	secrets are available to anyone with access to the system.
	14
	15	An example of this, can be seen from running the following commands, using
	16	the barbicanclient:
	17	$ barbican --os-username admin --os-password not-valid secret store \
	18	-n mysecret -p 'top secret data' -t 'text/plain'
	19	returns: a failure as the username and password are not correct
	20	$ barbican --os-username admin --os-password password secret store \
	21	-n mysecret -p 'top secret data' -t 'text/plain'
	22	returns: [the address retrieve the secret]
	23	$ barbican --no-auth secret get --decrypt [address returned above]
	24	returns: top secret data
	25
	26
	27	Limitation 2: Integration with Keystone authentication
	28	=======================================================
	29	Introduced in the Grizzly release of OpenStack, Keystone by default uses
	30	PKI tokens as opposed to UUID tokens. PKI tokens are much larger then UUID
	31	tokens (> 6000 bytes versus 16 bytes). Without changing the maximum packet
	32	size, PKI tokens are too large to fit into a Barbican request packet. The
	33	uWSGI maximum packet size has been increased to the maximum of 65355 bytes
	34	(from the default of 4096 bytes) in order to support PKI tokens by default.
	35	The larger PKI token size will increase the network load due to the larger
	36	packets that are sent when authentication is enabled.
	37
	38	When using Barbican with Keystone authentication it is a known problem that
	39	due to the varying length of the PKI token secret size for Barbican has no
	40	fixed maximum. There are two solutions to this problem:
	41
	42	* Don't use Keystone authentication when storing secrets with Barbican
	43	* Change Keystone to revert back using UUID tokens instead of PKI tokens
	44	(See next section below for the security implications of doing this)
	45
	46
	47	Changing Keystone to use UUID tokens
	48	====================================
	49
	50	PKI tokens increase security by increasing the token size versus using UUID
	51	tokens. Reverting back to UUID tokens fixes the problem described above.
	52	However, the disadvantage is that you loose the security PKI tokens provide
	53	to all resources that use Keystone for authentication purposes, including
	54	Barbican.
	55
	56	To have Keystone use UUID as tokens, change the bitbake recipe
	57	(python-keystone_git.bb) by setting the TOKEN_FORMAT variable to a value of
	58	"UUID" and recompile. ie. Change the line TOKEN_FORMAT ?= "PKI" to
	59	TOKEN_FORMAT="UUID" in the python-keyston_git.bb file.
	60
	61
	62	Security Implications
	63	=====================
	64
	65	* UUID tokens are shorter in length then UUID tokens, thus they are more
	66	susceptible to brute force attacks.
	67	* Changing Keystone to use UUID tokens affects all system services that
	68	rely on Keystone (for example, the Horizon web interface)
	69