In order to authenticate with a BMC, a username and password are required. These can be the same for all devices in a cluster or they can be individual per device. In either case, we need to allow admins to securely store them separately from SMD which is not suited to be a secure credential store. The credentials will need to be retrievable for unattended actions.
Admins with proper authentication to OpenCHAMI should be able to issue commands to the BMCs through the system (for power control, diagnostics, etc...) without needing to know the credentials used.
Options:
Store a url for credentials with drivers for various storage engines including Hashicorp Vault and file://
Store encrypted passwords in an OpenCHAMI backend like Viper config
other?
We need to consider the most secure option for sites like LANL, but we also need to consider a low infrastructure option for sites without significant existing infrastructure.
In order to authenticate with a BMC, a username and password are required. These can be the same for all devices in a cluster or they can be individual per device. In either case, we need to allow admins to securely store them separately from SMD which is not suited to be a secure credential store. The credentials will need to be retrievable for unattended actions.
Admins with proper authentication to OpenCHAMI should be able to issue commands to the BMCs through the system (for power control, diagnostics, etc...) without needing to know the credentials used.
Options:
We need to consider the most secure option for sites like LANL, but we also need to consider a low infrastructure option for sites without significant existing infrastructure.
Originally posted by @alexlovelltroy in https://github.com/OpenCHAMI/smd/issues/32#issuecomment-2449583602