Secret Management Service (SMS)

Architecture

This project aims at the Storage of sensitive information such as passwords, username, and tokens.

Current state and gaps

Many services in ONAP use password based authentication. Eg: Database servers, publish/subscribe brokers etc. Passwords are stored in plain text files in many services. With multiple instances of these services, the attack surface area becomes very big. Hence there is a need to ensure that attack surface related to password exposure is reduced.

Requirement:

Need for Secure Secret Management. Services are expected to get the secret only on needed basis using secret reference and remove the secrets once they are used up.

Secret Service High Level Flow Diagram

SMS Flow Diagram

Installation

Kubernetes

The Secret Management Service project is a sub-project of AAF and will be deployed via Helm on Kubernetes under the OOM Project umbrella. It will be automatically installed when the AAF chart is installed.

Standalone Install on Bare-Metal or VM

A script for doing a standalone install is provided in the repository Run it as below:

cd sms-service/bin/deploy
sms.sh start

Usage Scenario

Create a Domain

This is the root where you will store your secrets.

curl -H "Accept: application/json" --cacert ca.pem  --cert client.cert --key client.key
    -X POST \
    -d '{
            "name": "mysecretdomain"
        }'
    https://aaf-sms.onap:10443/v1/sms/domain

Add a new Secret

Store a new secret in your created Domain. Secrets have a name and a map containing key value pairs.

curl -H "Accept: application/json" --cacert ca.pem  --cert client.cert --key client.key
    -X POST \
    -d '{
            "name": "mysecret",
            "values": {
                "name": "rah",
                "age": 35,
                "password": "mypassword"
            }
        }'
    https://aaf-sms.onap:10443/v1/sms/domain/<PREVIOUSLY CREATED DOMAIN NAME>/secret

List all Secret Names in a Domain

curl -H "Accept: application/json" --cacert ca.pem --cert client.cert --key client.key
    -X GET \
    https://aaf-sms.onap:10443/v1/sms/domain/<PREVIOUSLY CREATED DOMAIN NAME>/secret

Get a previously stored Secret from Domain

curl -H "Accept: application/json" --cacert ca.pem --cert client.cert --key client.key
    -X GET \
    https://aaf-sms.onap:10443/v1/sms/domain/<PREVIOUSLY CREATED DOMAIN NAME>/secret/<PREVIOUSLY CREATED SECRET NAME>

Delete a Secret in specified Domain

curl -H "Accept: application/json" --cacert ca.pem --cert client.cert --key client.key
    -X DELETE \
    https://aaf-sms.onap:10443/v1/sms/domain/<PREVIOUSLY CREATED DOMAIN NAME>/secret/<PREVIOUSLY CREATED SECRET NAME>

Delete a Domain

curl -H "Accept: application/json" --cacert ca.pem --cert client.cert --key client.key
    -X DELETE \
    https://aaf-sms.onap:10443/v1/sms/domain/<PREVIOUSLY CREATED DOMAIN NAME>

Offered APIs

The full API documentation is here:

Release Notes

Version: 4.0.0

Release Date:2019-05-31

New Features

The Dublin Release does not have any major updates to the Secret Management Service

Bug Fixes

  • No new fixes were implemented for this release

Security Notes

Fixed Security Issues

  • In default deployment AAF SMS (aaf-sms-db) exposes HTTP port 30244 outside of cluster. [OJSI-121]
  • Secret Management Service allows to access all stored data. [OJSI-206]

Known Security Issues

Known Vulnerabilities in Used Modules

Upgrade Notes

Use the 4.0.0 image for SMS

Version: 2.0.0

Release Date:2018-06-25

New Features

The Beijing Release is the first release of the Secret Management Service

Bug Fixes

  • The full list of implemented user stories, epics and bugs is available on Beijing Release <https://jira.onap.org/projects/AAF/versions/10370>

Upgrade Notes

Not applicable as this is a first release

End of Release Notes