Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1621186

Summary: [RFE] Use secure storage for switch credentials
Product: Red Hat OpenStack Reporter: Jakub Libosvar <jlibosva>
Component: python-networking-ansibleAssignee: Michael Chapman <michapma>
Status: CLOSED WONTFIX QA Contact: Arkady Shtempler <ashtempl>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aarapov, bfournie, dradez, dsneddon, jlibosva, michapma, racedoro, tfreger
Target Milestone: Upstream M2Keywords: FutureFeature, Triaged
Target Release: ---Flags: tfreger: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-26 09:29:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Libosvar 2018-08-23 14:08:42 UTC 
The switch credentials are currently stored in plain text format in ml2 plugin configuration file. From network administrator point of view providing switch credentials to cloud operator is risky. The credentials can be stored encrypted and secured somewhere else.

Possible options on where to put credentials that need investigation are:

 1) Store the switch credentials a file encrypted by Ansible Vault. networking-ansible can load the file just like other vars file. We would still need to store password for Ansible Vault somewhere.

 2) Store the credentials to Barbican.
Comment 1 Dan Sneddon 2018-08-27 20:38:40 UTC 
Please note that we also need support for SSH keys. Is that included in this RFE, or do we need a separate BZ?
Comment 2 Dan Radez 2018-08-28 12:16:36 UTC 
Good thought, I think we should address ssh keys in a separate RFE. I think that the storage of passwords vs password-less authentication are slightly different implementations.

I'll create a new set of RFE records across our tracking tools to make sure that ssh key auth gets added.
Comment 8 Dan Radez 2019-06-07 17:12:06 UTC 
It has been concluded that this RFE does not currently have a solution to be implemented. Proposed solutions just move the problem a layer deeper behind code we would be writing.
Release flag is being dropped. The demand for this feature needs to be reassessed along with research into what a customer would actually be please with using.
Comment 10 Ramon Acedo 2019-06-26 09:29:10 UTC 
Will document using low privilege specific access user.
Comment 11 Dan Radez 2019-06-26 14:23:07 UTC 
Confirmed, we have instruction to create a user with specific permissions in our docs.