securing config.json
78 views
Skip to first unread message
Greg Keys
Apr 12, 2016, 12:33:22 AM4/12/16
to Crossbar
Howdy,
We are in the process of implementing hashicorp's vault into our stacks for securely managing secrets.
The secrets we want to manage in regards to crossbar are the authentication usernames in the config.json we are trying to avoid writing anything to disk.
What we would like to do is pass the config.json into a command line argument, I did notice that there is a --config option when starting
crossbar but it looks like it has to be a file?
Are there any other methods for dynamically giving crossbar its config so that it doesnt have to be written to disk?
Are there any other methods for dynamically giving crossbar its config so that it doesnt have to be written to disk?
Tobias Oberstein
Apr 12, 2016, 6:56:22 AM4/12/16
to cross...@googlegroups.com
Hi Greg,
reading the config from stdin - we could easily add that ability. It's
not there currently though.
Then, we could also allow secrets to be read from environment variables
.. I need to look into that (I _think_ we have that ability already for
certain config things ..).
I guess you are using WAMP-CRA or WAMP-Ticket authentication? Because
these do have secrets. Whereas WAMP-Cryptosign is a public-private key
based authentication mechanism where there are no secrets at all in the
node config! But this is alpha, and its only implemented in
AutobahnPython, not yet the other Autobahns.
Dynamically configuring Crossbar.io (without any local node
configuration file) is possible via the management API, that is yet to
be released (the code is in CB alreaday, but we want to expose that via
Crossbar.io DevOps Center - I think we've talked about that previsouly
.. its upcoming).
--
So, sorry, all 4 above: no immediate solution to your itch =(
The first one is trivial to add .. on what Crossbar.io version are you
running currently? I think I remember you had some other issues that
prevent you from running the latest? What was that again?
Cheers,
/Tobias
> --
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to crossbario+...@googlegroups.com
> <mailto:crossbario+...@googlegroups.com>.
> To post to this group, send email to cross...@googlegroups.com
> <mailto:cross...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/crossbario/43176ffe-6786-4e64-8a6d-d71a6a3654b1%40googlegroups.com
> <https://groups.google.com/d/msgid/crossbario/43176ffe-6786-4e64-8a6d-d71a6a3654b1%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
reading the config from stdin - we could easily add that ability. It's
not there currently though.
Then, we could also allow secrets to be read from environment variables
.. I need to look into that (I _think_ we have that ability already for
certain config things ..).
I guess you are using WAMP-CRA or WAMP-Ticket authentication? Because
these do have secrets. Whereas WAMP-Cryptosign is a public-private key
based authentication mechanism where there are no secrets at all in the
node config! But this is alpha, and its only implemented in
AutobahnPython, not yet the other Autobahns.
Dynamically configuring Crossbar.io (without any local node
configuration file) is possible via the management API, that is yet to
be released (the code is in CB alreaday, but we want to expose that via
Crossbar.io DevOps Center - I think we've talked about that previsouly
.. its upcoming).
--
So, sorry, all 4 above: no immediate solution to your itch =(
The first one is trivial to add .. on what Crossbar.io version are you
running currently? I think I remember you had some other issues that
prevent you from running the latest? What was that again?
Cheers,
/Tobias
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to crossbario+...@googlegroups.com
> <mailto:crossbario+...@googlegroups.com>.
> To post to this group, send email to cross...@googlegroups.com
> <mailto:cross...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/crossbario/43176ffe-6786-4e64-8a6d-d71a6a3654b1%40googlegroups.com
> <https://groups.google.com/d/msgid/crossbario/43176ffe-6786-4e64-8a6d-d71a6a3654b1%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Greg Keys
Apr 13, 2016, 2:45:32 AM4/13/16
to Crossbar
On Tuesday, April 12, 2016 at 3:56:22 AM UTC-7, Tobias Oberstein wrote:
Hi Greg,
reading the config from stdin - we could easily add that ability. It's
not there currently though.
Reading from stdin would be perfect for now.
Then, we could also allow secrets to be read from environment variables
.. I need to look into that (I _think_ we have that ability already for
certain config things ..).
Environment variables, while convenient, aren't really secure because they can show up in logs or be accessed in fairly simple ways if a system is compromised.
we are trying not to write anything to file or env variable if we can help it.
I guess you are using WAMP-CRA or WAMP-Ticket authentication? Because
these do have secrets. Whereas WAMP-Cryptosign is a public-private key
based authentication mechanism where there are no secrets at all in the
node config! But this is alpha, and its only implemented in
AutobahnPython, not yet the other Autobahns.
Dynamically configuring Crossbar.io (without any local node
configuration file) is possible via the management API, that is yet to
be released (the code is in CB alreaday, but we want to expose that via
Crossbar.io DevOps Center - I think we've talked about that previsouly
.. its upcoming).
Dynamic configuration would be really great, i can imagine it will work much better for our purposes.
--
So, sorry, all 4 above: no immediate solution to your itch =(
The first one is trivial to add .. on what Crossbar.io version are you
running currently? I think I remember you had some other issues that
prevent you from running the latest? What was that again?
Currently running 0.12 for reasons, but we are at a place we can update to the latest once again.
Cheers,
/Tobias
Am 12.04.2016 um 06:33 schrieb Greg Keys:
> Howdy,
>
> We are in the process of implementing hashicorp's vault into our stacks
> for securely managing secrets.
> The secrets we want to manage in regards to crossbar are the
> authentication usernames in the config.json we are trying to avoid
> writing anything to disk.
>
> What we would like to do is pass the config.json into a command line
> argument, I did notice that there is a --config option when starting
> crossbar but it looks like it has to be a file?
>
> Are there any other methods for dynamically giving crossbar its config
> so that it doesnt have to be written to disk?
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to crossbario+...@googlegroups.com
> <mailto:crossbario+unsub...@googlegroups.com>.
Dominique Burnand
Aug 30, 2016, 4:56:17 AM8/30/16
to Crossbar
Any news regarding this issue?
I am struggle with the same as I am looking for a way not to store any critical data in such configuration files.
Greg Keys
Sep 7, 2016, 12:11:41 AM9/7/16
to Crossbar
We are storing all our credentials and configs in vault and for anything that needs a file we just grab it from vault and write it to a file, here is an example from our container entrypoint.sh
has_config(){
JSON=$(curl \
-H "X-Vault-Token: ${VAULT_TOKEN}" \
-H "Content-Type: application/json" \
-s \
-X GET ${VAULT_ADDR}${VAULT_PATH})
ERRORS=$(echo ${JSON} | jq -r .errors[0])
echo "ERRORS value = $ERRORS"
[ "$ERRORS" == "null" ]
}
until has_config; do
>&2 echo "Configuration is not yet available - sleeping"
sleep 1
done
$(echo ${JSON} | jq -r .data.config > /node/.crossbar/config.json)
$(echo ${JSON} | jq -r .data.dhparam > /node/certs/dhparam.pem)
$(echo ${JSON} | jq -r .data.certificate > /node/certs/server.crt)
$(echo ${JSON} | jq -r .data.key > /node/certs/server.key)
$(echo ${JSON} | jq -r .data.chain > /node/certs/chain.crt)
Adam Jorgensen
Sep 7, 2016, 12:46:40 AM9/7/16
to Crossbar
I take it you are encrypting your memory as well right?
Reply all
Reply to author
Forward
0 new messages