[security-dev] IDM and vault are the same thing
Anil Saldhana
Anil.Saldhana at redhat.com
Wed Jul 31 20:38:58 EDT 2013
A very thought provoking observation.
IMO in the presence of IDM lite, the vault is not necessary. Eventually
we can probably retire
the vault by using the File System store implementation of the IDM in
the app server.
A vault has just one purpose. Safe storage and retrieval of attributes
for identities. In the case of app server,
the primary use case has been safe storate/retrieval of passwords. The
vault is not supposed to validate
credentials.
There is a weak link in the case of the vault. Password to the KeyStore
has to be masked (for specifying in
the configuration) or retrieved in a proprietary manner.
On 07/31/2013 01:40 PM, David M. Lloyd wrote:
> Consider:
>
> IDM:
> * associates identities with credentials
> * provides ability to retrieve credentials or verify against credentials
>
> Vault:
> * associates identities with credentials
> * provides ability to retrieve credentials or verify using credentials
>
> So, they're basically the same thing, except vaults are kind of a crappy
> hack. Instead of using a sys prop kludge for vaulted passwords, we
> should have an explicit reference to an identity store plus an identity,
> and simply not have a field for passwords in the config, period.
>
> Discuss
>
More information about the security-dev
mailing list