Shared VIM for Policy Action Execution¶
https://blueprints.launchpad.net/tacker/+spec/shared-barbican-secret
This spec describes the plan to implement shared vim for policy action execution.
Problem description¶
In current implementation [1], a registered vim’s password is encoded by fernet, and the fernet key is saved in barbican as a secret. With barbican’s default policy, only the user who created the secret can obtain the secret, which leads to a problem that registered vim can not be shared by other tenants.
So if we want to do VNF LCM operation not via tacker api, such as policy action execution, we have no keystone token to access barbican secret.
BP [2] wants to use mistral to do vnf monitor and execute policy action, depending on this spec’s realization.
Proposed change¶
There are three methods to fix this problem. wo will use the first method.
Save the fernet key in one specific tenant, such as tacker service tenant. This method will lead to all vims can be invoked by other tenants.
- The main implementation is as follows:
- register vim
We use fernet to encrypt the VIM password, then use the tacker service tenant configured in the tacker.conf to save the fernet key to the barbican as a secret. barbican will return secret_uuid. then save encrypted into vim db’s field password, and save the secret uuid into vim db field secret_uuid.
- retrieving vim
We use the tacker service tenant configured in the tacker.conf and secret_uuid to get the fernet key from barbican, and decode with password using fernet.
- delete vim
We use the tacker service tenant configured in the tacker.conf to delete the secret by the secret_uuid in vim db from barbican.
we add the tacker service tenant to the acl of all fernet_key in barbican. Only the service tenant can invoke all vims. The policy action will use this service tenant. this method we need to modify other project. So not recommended.
When create a VNF with monitor policy, we save the context information ( without token due to it has expired time). Then the policy action use these information to access barbican.Originally, the fernet key is based on VIM. If it is changed to this, it will be in VNF, so that it will store a lot of secrect information. So not recommended.
Data model impact¶
None
REST API impact¶
None
Security impact¶
None
Notifications impact¶
None
Other end user impact¶
None
Performance Impact¶
None
Other deployer impact¶
This feature requires “tacker” user which has “admin” role. When creating a “tacker” user via devstack, we need to add the “admin” role to the “tacker” user.
Developer impact¶
None
Implementation¶
Assignee(s)¶
- Primary assignee:
Li Jiale <lijiale@cmss.chinamobile.com>
- Other contributors:
Yan Xing’an <yanxingan@cmss.chinamobile.com
Work Items¶
Unit Tests
Functional Tests
Feature documentation in doc/source/devref/feature
Dependencies¶
None
Testing¶
None
Documentation Impact¶
update doc/source/contributor/encrypt_vim_auth_with_barbican.rst with new steps.