Executable tutorial submission

[EdwinAhl]

Assignment Proposal

Title

Storing secrets locally using OpenBao

Names and KTH ID

• Edwin Ahlstrand (edwinahl@kth.se)
• Lukas Lannge (lannge@kth.se)

Deadline

• Task 3

Category

• Executable tutorial

Description

The tutorial teaches how to setup and store secrets locally in an OpenBao container. The steps taken during the tutorial are:

1. Access a database using a password stored as plaintext in a python program
2. Scan the python file using detect-secrets (pip module)
3. Setup OpenBao docker container
4. Store secret in OpenBao
5. Update the python program to use the secret from OpenBao instead of plaintext

Relevance
In terms of DevSecOps, security must be managed by the team developing the product. By using OpenBao as a local docker container, a team can manage secrets safely and locally.

Tutorial link

• Tutorial: https://killercoda.com/ahllan/scenario/scenario1
• Repo: https://github.com/EdwinAhl/DD2482-Executable-tutorial

[dd2482-bot]

Readme is not correctly formatted
Need exactly: ['Assignment Proposal', 'Title', 'Names and KTH ID', 'Deadline', 'Category', 'Description']

Got: ['Assignment Proposal', 'Title', 'Names and KTH ID', 'Deadline', 'Category', 'Description', 'Tutorial link']

[sofiabobadilla]

We have received the submission.

The tutorial will be graded in the upcoming weeks, and the grades will be reported on canvas.

Thank you for your work.

[azraneth]

Hi! Me and Birger (birgerk@kth.se) would like to provide feedback on this.

[MT0DE]

Hi @azraneth!
We got a question by another group to do feedback on our original pr #2860 as well. I would say yes, but I don't know if multiple people are allowed to give feedback to us.

@sofiabobadilla, is it ok that 2 groups gives us feedback?

[MT0DE]

Hi again,

not sure if she saw this message, so It is probably ok to go ahead with it unless you found someone else.
Good luck, nonetheless!

[birgerkarlsson]

We certify that generative AI, incl. ChatGPT, has not been used to write this feedback. Using generative AI without permission is considered academic misconduct.

Great tutorial! We feel like we understand a lot more of the practical parts of using OpenBao now. We'll begin by listing the things we particularly liked about your tutorial:

• The tutorial is well structured from a top-level perspective. The structure and ILOs are well communicated in the introduction, which is very appreciated.
• The integration the platform provides with auto-running commands and similar is very convenient and utilized well.
• On the topic of commands is also the fact that they were all described in very good detailed, which was helpful for dissecting them. We never felt unsure about what a command or any of its individual flags or options did.
• The entertainment in the Minecraft parkour video and variable names were appreciated. We also liked the fact that the humor was introduced very early on in the tutorial, which made the entirety of it feel more lighthearted.

We'll now shift the focus to possible improvements we have thought of, listed below:

• The first ILO (to set up a password-protected MySQL database) felt rather disconnected from the rest of the content. While this database is later used to demonstrate the main topic of the tutorial, it could be beneficial to drop this first ILO to achieve a more "targeted" focus. One possibility could be to automate the entire setup, up until after the python virtual environment is activated for example, by having you run a script instead. It would just abstract some things away and achieve a more "pang på rödbetan" style tutorial.
• The commands were very detailed (which is good!) but it could be good to define the basic syntax of a command before showing the example. You could for example have
  bao policy [read/write] [name] [path] before detailing sudo docker exec -it openbao bao policy write python-program /root/PolicyForPythonToken.hcl. Similarly the command descriptions got a bit too detailed towards the end - after the third command you can safely assume that we know that "bao is a CLI tool used to communicate with the OpenBao instance".
• One thing we felt missing was some concrete visualization of some steps, most notably on how the access tokens to Openbao work. We generated a root key and logged in with that, but also configured a policy for another key, and it wasn't entirely clear on what each of them were. We think the imagined json file was a great way of helping us visualize the structure/location of the secret we created, but some other parts lack this help.
• Some additional descriptions and motivations could be added for some claims. For example, the summary at the end has the take-away of never storing passwords in plaintext. It's clear that it is not a good idea, but it could definitely be more clear why that is. In this case it could be sufficient to link to some existing resource explaining why, like this one: https://www.beyondtrust.com/resources/glossary/hardcoded-embedded-passwords. Another concrete example is that it is mentioned that we set up a virtual environment in python to make things easier, but it is never explained why that is. This could also be explained by linking to some other resource for anyone curious enough to read (this is a good one: https://coderivers.org/blog/venv-python/), or it could be abstracted away, "hidden" in a setup script as suggested earlier.

With all this said, we really enjoyed the tutorial. It was just enough to learn some basics without feeling overwhelmed. The tutorial topic felt interesting and relevant for the course!

Birger Karlsson (birgerk@kth.se) and Kevin Wenström (kevinwe@kth.se)