On 3/31/19 7:00 PM, White2, James wrote:
Here are my comments on v6 of the Protecting Secrets document.
- <p1> 1st sentence: "centralize management" --> "centralized management"
- <p2> 2nd sentence: "permission need" --> "permission needs"
= inventory of edgex secrets =
- last bullet, last sentence: "securely store" --> "securely stored"
= secret storage architecture =
step 1 - the part of the last sentence needs re-wording ("and an ACL that back by Vault...". I'd actually just suggest dropping that part instead.
- Shouldn't this step happen before 1?
- This should mention that the access token is the master
- Are there more than one initialization programs (same question for step 3)?
= vault initialization =
- If the secret store init is written in Go, it's not really a script anymore. Just sayin...
- <p2> 2nd sentence:
- if secrets are passed by command-line, aren't they going to
be in source code whereever the command-line is defined? This
applies to environment variables too... Why not use a
configuration file approach where the init app would read secrets
configuration files from a volume and then delete them when
- how would someone do this if EdgeX is being deployed via
docker-compose? how would someone do this in the snap?
- <p2> last sentence: What's the use case for being able to generate GUIDs or random strings?
- <p3> This sentence ("If the credentials need to be updated...") doesn't make sense as written.
= vault master token file protection =
- I'd suggest a slight re-wording of the first sentence:
- Also note that on a traditional Unix/Linux system this file
would be only owner readable via standard MAC, however doing this
with docker and shared volumes might be tricky.
- And a slight re-wording of the second sentence too:
= org of secrets =
- <p1> "In general, credentials will be organized under a namespace of v1/secret/edgex/:path"
- Is the ":" a typo?
- Is mongodbinit an existing micro service?
- paths typically start with a "/"
- <p4> It looks like triggering GUID generation is to just
use the value ”xxxxxxxxx-xxxxxxxx-xxxxxxxx”. Does password
generation use the same value or is it just a string of 'x' chars?
Does the length matter?