securing config.json

#1

Howdy,

We are in the process of implementing hashicorp’s vault into our stacks for securely managing secrets.

The secrets we want to manage in regards to crossbar are the authentication usernames in the config.json we are trying to avoid writing anything to disk.

What we would like to do is pass the config.json into a command line argument, I did notice that there is a --config option when starting

crossbar but it looks like it has to be a file?

Are there any other methods for dynamically giving crossbar its config so that it doesnt have to be written to disk?

0 Likes

#2

Hi Greg,

reading the config from stdin - we could easily add that ability. It's not there currently though.

Then, we could also allow secrets to be read from environment variables .. I need to look into that (I _think_ we have that ability already for certain config things ..).

I guess you are using WAMP-CRA or WAMP-Ticket authentication? Because these do have secrets. Whereas WAMP-Cryptosign is a public-private key based authentication mechanism where there are no secrets at all in the node config! But this is alpha, and its only implemented in AutobahnPython, not yet the other Autobahns.

Dynamically configuring Crossbar.io (without any local node configuration file) is possible via the management API, that is yet to be released (the code is in CB alreaday, but we want to expose that via Crossbar.io DevOps Center - I think we've talked about that previsouly .. its upcoming).

···

--

So, sorry, all 4 above: no immediate solution to your itch =(

The first one is trivial to add .. on what Crossbar.io version are you running currently? I think I remember you had some other issues that prevent you from running the latest? What was that again?

Cheers,
/Tobias

Am 12.04.2016 um 06:33 schrieb Greg Keys:

Howdy,

We are in the process of implementing hashicorp's vault into our stacks
for securely managing secrets.
The secrets we want to manage in regards to crossbar are the
authentication usernames in the config.json we are trying to avoid
writing anything to disk.

What we would like to do is pass the config.json into a command line
argument, I did notice that there is a --config option when starting
crossbar but it looks like it has to be a file?

Are there any other methods for dynamically giving crossbar its config
so that it doesnt have to be written to disk?

--
You received this message because you are subscribed to the Google
Groups "Crossbar" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to crossbario+...@googlegroups.com
<mailto:crossbario+...@googlegroups.com>.
To post to this group, send email to cross...@googlegroups.com
<mailto:cross...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/crossbario/43176ffe-6786-4e64-8a6d-d71a6a3654b1%40googlegroups.com
<https://groups.google.com/d/msgid/crossbario/43176ffe-6786-4e64-8a6d-d71a6a3654b1%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#3

Hi Greg,

reading the config from stdin - we could easily add that ability. It’s
not there currently though.

Reading from stdin would be perfect for now.

Then, we could also allow secrets to be read from environment variables
… I need to look into that (I think we have that ability already for
certain config things …).

Environment variables, while convenient, aren’t really secure because they can show up in logs or be accessed in fairly simple ways if a system is compromised.

we are trying not to write anything to file or env variable if we can help it.

I guess you are using WAMP-CRA or WAMP-Ticket authentication? Because
these do have secrets. Whereas WAMP-Cryptosign is a public-private key
based authentication mechanism where there are no secrets at all in the
node config! But this is alpha, and its only implemented in
AutobahnPython, not yet the other Autobahns.

Dynamically configuring Crossbar.io (without any local node
configuration file) is possible via the management API, that is yet to
be released (the code is in CB alreaday, but we want to expose that via
Crossbar.io DevOps Center - I think we’ve talked about that previsouly
… its upcoming).

Dynamic configuration would be really great, i can imagine it will work much better for our purposes.

So, sorry, all 4 above: no immediate solution to your itch =(

The first one is trivial to add … on what Crossbar.io version are you
running currently? I think I remember you had some other issues that
prevent you from running the latest? What was that again?

Currently running 0.12 for reasons, but we are at a place we can update to the latest once again.

···

On Tuesday, April 12, 2016 at 3:56:22 AM UTC-7, Tobias Oberstein wrote:

Cheers,

/Tobias

Am 12.04.2016 um 06:33 schrieb Greg Keys:

Howdy,

We are in the process of implementing hashicorp’s vault into our stacks

for securely managing secrets.

The secrets we want to manage in regards to crossbar are the

authentication usernames in the config.json we are trying to avoid

writing anything to disk.

What we would like to do is pass the config.json into a command line

argument, I did notice that there is a --config option when starting

crossbar but it looks like it has to be a file?

Are there any other methods for dynamically giving crossbar its config

so that it doesnt have to be written to disk?

You received this message because you are subscribed to the Google

Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to crossbario+...@googlegroups.com

mailto:crossbario+unsub...@googlegroups.com.

To post to this group, send email to cros...@googlegroups.com

mailto:cross...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/crossbario/43176ffe-6786-4e64-8a6d-d71a6a3654b1%40googlegroups.com

<https://groups.google.com/d/msgid/crossbario/43176ffe-6786-4e64-8a6d-d71a6a3654b1%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#4

Any news regarding this issue?
I am struggle with the same as I am looking for a way not to store any critical data in such configuration files.

0 Likes

#5

We are storing all our credentials and configs in vault and for anything that needs a file we just grab it from vault and write it to a file, here is an example from our container entrypoint.sh

has_config(){
    JSON=$(curl \
        -H "X-Vault-Token: ${VAULT_TOKEN}" \
        -H "Content-Type: application/json" \
        -s \
        -X GET ${VAULT_ADDR}${VAULT_PATH})

        ERRORS=$(echo ${JSON} | jq -r .errors[0])
        echo "ERRORS value = $ERRORS"

        [ "$ERRORS" == "null" ]
}

until has_config; do
  >&2 echo "Configuration is not yet available - sleeping"
  sleep 1
done

$(echo ${JSON} | jq -r .data.config > /node/.crossbar/config.json)
$(echo ${JSON} | jq -r .data.dhparam > /node/certs/dhparam.pem)
$(echo ${JSON} | jq -r .data.certificate > /node/certs/server.crt)
$(echo ${JSON} | jq -r .data.key > /node/certs/server.key)
$(echo ${JSON} | jq -r .data.chain > /node/certs/chain.crt)

``

···

On Tuesday, August 30, 2016 at 1:56:17 AM UTC-7, Dominique Burnand wrote:

Any news regarding this issue?
I am struggle with the same as I am looking for a way not to store any critical data in such configuration files.

0 Likes

#6

I take it you are encrypting your memory as well right?

···

On Wednesday, 7 September 2016 06:11:41 UTC+2, Greg Keys wrote:

We are storing all our credentials and configs in vault and for anything that needs a file we just grab it from vault and write it to a file, here is an example from our container entrypoint.sh

has_config(){
    JSON=$(curl \
        -H "X-Vault-Token: ${VAULT_TOKEN}" \
        -H "Content-Type: application/json" \
        -s \
        -X GET ${VAULT_ADDR}${VAULT_PATH})

        ERRORS=$(echo ${JSON} | jq -r .errors[0])
        echo "ERRORS value = $ERRORS"

        [ "$ERRORS" == "null" ]
}

until has_config; do
  >&2 echo "Configuration is not yet available - sleeping"
  sleep 1
done

$(echo ${JSON} | jq -r .data.config > /node/.crossbar/config.json)
$(echo ${JSON} | jq -r .data.dhparam > /node/certs/dhparam.pem)
$(echo ${JSON} | jq -r .data.certificate > /node/certs/server.crt)
$(echo ${JSON} | jq -r .data.key > /node/certs/server.key)
$(echo ${JSON} | jq -r .data.chain > /node/certs/chain.crt)

``

On Tuesday, August 30, 2016 at 1:56:17 AM UTC-7, Dominique Burnand wrote:

Any news regarding this issue?
I am struggle with the same as I am looking for a way not to store any critical data in such configuration files.

0 Likes