summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-10-29 17:26:37 +0000
committerGerrit Code Review <review@openstack.org>2018-10-29 17:26:37 +0000
commit27aeeb8fea0d9b8749e023e0d2254c03e3abfdc2 (patch)
treee4aa0ef3be1635d20de1a06cb772ae26fc2ca11a
parenteb178e1d7f4f7eeed09e60c19b36a3943f2af196 (diff)
parentf711a83ee7eb59e9679ff64c5e9141a8a65a1af8 (diff)
Merge "docs: Add documentation on data redaction"
-rw-r--r--doc/source/users/encryption.rst27
1 files changed, 27 insertions, 0 deletions
diff --git a/doc/source/users/encryption.rst b/doc/source/users/encryption.rst
index c1a373d..7ecbb86 100644
--- a/doc/source/users/encryption.rst
+++ b/doc/source/users/encryption.rst
@@ -51,6 +51,33 @@ However, Deckhand will attempt to use Barbican's `other`_ secret types where
51possible. For example, Deckhand will use "public" for document types with kind 51possible. For example, Deckhand will use "public" for document types with kind
52``PublicKey``. 52``PublicKey``.
53 53
54.. _data-redaction:
55
56Data Redaction
57==============
58
59Deckhand supports redacting sensitive document data, including:
60
61* ``data`` section:
62
63 * to avoid exposing the Barbican secret reference, in the case of the
64 "GET documents" endpoint
65 * to avoid exposing actual secret payloads, in the case of the
66 "GET rendered-documents" endpoint
67
68* ``substitutions[n].src|dest`` sections:
69
70 * to avoid reverse-engineering where sensitive data is substituted from or
71 into (in case the sensitive data is derived via :ref:`substitution`)
72
73.. note::
74
75 Document sections related to :ref:`layering` do not require redaction because
76 secret documents are :ref:`control-documents`, which cannot be layered
77 together.
78
79See the :ref:`api-ref` for more information on how to redact sensitive data.
80
54.. _Barbican: https://docs.openstack.org/barbican/latest/api/ 81.. _Barbican: https://docs.openstack.org/barbican/latest/api/
55.. _restriction: https://docs.openstack.org/barbican/latest/api/reference/secrets.html#get-v1-secrets 82.. _restriction: https://docs.openstack.org/barbican/latest/api/reference/secrets.html#get-v1-secrets
56.. _any: https://github.com/openstack/barbican/blob/7991f8b4850d76d97c3482428638f788f5798a56/barbican/plugin/interface/secret_store.py#L272 83.. _any: https://github.com/openstack/barbican/blob/7991f8b4850d76d97c3482428638f788f5798a56/barbican/plugin/interface/secret_store.py#L272