Page MenuHomePhabricator

VM request for RelEng pwstore
Closed, DeclinedPublic

Description

Number of systems: 1
Service: pwstore
Processor Requirements: 1
Memory: 1GB
Disks: 20GB

VM request for a small ganeti instance for T139093: Use pwstore (a shared gpg-encrypted password store) for Release Engineering related passwords

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 21 2017, 7:43 PM

I'm wondering if it can just live next to the existing pwstore repo that ops uses. It's just a repo and everything is encrypted with GPG and releng probably already has ability to clone it, just not decrypt it. see https://office.wikimedia.org/wiki/Pwstore#Checking_out_the_pwstore_repository

adding @Muehlenhoff

Dzahn added a comment.Jul 21 2017, 7:49 PM

actually, it may even make sense to do it all in a single pwstore repo and just add a new group for releng.

greg added a subscriber: greg.Jul 21 2017, 8:08 PM

Yeah, whatever works, we didn't want to over-presume on Ops' part :)

demon added a subscriber: demon.Jul 21 2017, 8:44 PM

actually, it may even make sense to do it all in a single pwstore repo and just add a new group for releng.

I had that thought too, but as Greg said we didn't want to presume. Having our store as a sub-store/group of the ops one would be perfect, as then ops would have all our passwords at their disposal too.

But if that's not feasible, setting up our own pwstore was the next best idea we had.

Dzahn added a comment.Jul 21 2017, 8:46 PM

Should be feasible since we already added separate access group for dc-ops before (T158285).

There's really no need for a separate VM, a pwstore is just a git repo with a few megabytes of data :-)
I suggest you simply use a /srv on e.g. tin (or some other host where anyone from releng has access to).

The current ops pwstore is on neodymium which is a restricted host, so we can't easily share this.

demon added a comment.Jul 21 2017, 9:14 PM

There's really no need for a separate VM, a pwstore is just a git repo with a few megabytes of data :-)
I suggest you simply use a /srv on e.g. tin (or some other host where anyone from releng has access to).
The current ops pwstore is on neodymium which is a restricted host, so we can't easily share this.

Well, we'd like to restrict access to these as well. tin is accessible to all deployers--which is too wide of a group to share all of our secrets with. I suppose we could bastardize something like the jenkins server or gerrit boxes but that seems silly.

Something segregated would be nice. Indeed--it's kind of silly to need a whole box, which is why we set the specs as low as humanly possible.

Dzahn added a comment.Jul 21 2017, 9:16 PM

The other deployers would still have to decrypt the encrypted files to actually see content though, so it's not really sharing secrets with them unless we don't trust GPG by itself.

demon added a comment.Jul 21 2017, 9:28 PM

The other deployers would still have to decrypt the encrypted files to actually see content though, so it's not really sharing secrets with them unless we don't trust GPG by itself.

Maybe ops could put their passwords on tin as well? 😏🙃😂

demon awarded a token.Jul 21 2017, 9:34 PM
thcipriani closed this task as Declined.Jul 21 2017, 9:58 PM

The other deployers would still have to decrypt the encrypted files to actually see content though, so it's not really sharing secrets with them unless we don't trust GPG by itself.

An extra layer of security in the case of storing passwords is prudent and not unreasonable.

We'll investigate a private phabricator repository for storing encrypted passwords.

An extra layer of security in the case of storing passwords is prudent and not unreasonable.

But isn't it actually:

GPG + restricted repo = 2 layers

GPG + unrestricted repo = 1 layer

no GPG + restricted phab repo = 1 layer

sorry, you said they are still encrypted. so still using pwstore but with phab repo. gotcha then.!