[openstack-dev] Incubation Request for Barbican

Bhandaru, Malini K malini.k.bhandaru at intel.com
Tue Dec 17 22:59:22 UTC 2013

To add to Jarret's arguments,  across OpenStack we have seen as subsystems grow more mature and complex from additional feature extensions, they spawn off into separate projects.
Case in point -- Neutron rose out of Nova Networking, and is marching on in richness and community support.  Common libraries went into Oslo. The Nova scheduler is currently being forklifted into a service of its own called gantt.
At the Portland summit such considerations were raised and given that Barbican provides a separate functionality, it does cleanly live in its own project. True the public/private key pair of a service, tenant etc is part of its identity. In that respect Keystone and Barbican would intersect, which could be managed by delegating the storage of the public key in Barbican, like a directory service.


-----Original Message-----
From: Jarret Raim [mailto:jarret.raim at RACKSPACE.COM] 
Sent: Tuesday, December 17, 2013 11:36 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] Incubation Request for Barbican

On 12/13/13, 7:56 AM, "Russell Bryant" <rbryant at redhat.com> wrote:

>1) Are each of the items you mention big enough to have a sustainable 
>team that can exist as its own program?

The answer here for Barbican and Keystone is yes.

>2) Would there be a benefit of *changing* the scope and mission of the 
>Identity program to accomodate a larger problem space?  "Security"
>sounds too broad ... but I'm sure you see what I'm getting at.

Dolph and I have talked about this a bit. Right now, if we combined them, it feels like we would have meetings where the first half would be about Keystone and the second about Barbican. Same for design sessions. The systems and the concerns they address are entirely separate. Currently the teams are also entirely separate.

While I think we can encourage both teams to have a close relationship (Adam Young and I had a conversion about that recently), there is no benefit to combining the teams now other than to reduce the number of programs. As the combination doesn¹t help either project, it seems like Barbican having its own program is the best option.

>When we're talking about authentication, authorization, identity 
>management, key management, key distribution ... these things really
>*do* seem related enough that it would be *really* nice if a group was 
>looking at all of them and how they fit into the bigger OpenStack 
>picture.  I really don't want to see silos for each of these things.

I don¹t agree here. Key management and distribution can be used to solve problems in the identity space. They can also be used to solve problems in other spaces in openstack. Barbican uses keystone to provide auth / auth to keys, much like Nova uses keystone to provide auth / auth to servers.
Additionally, Barbican will deal with other parts of the encryption space (e.g. SSL) that have very little to do with identity.

>So, would OpenStack benefit from a tighter relationship between these 
>projects?  I think this may be the case, personally.

I think there would be benefit to individuals working together from the two projects where it makes sense - especially where we have knowledge overlaps. I don¹t agree that including Barbican in the Identity program is the right way to do that.

>Could this tighter relationship happen between separate programs?  It 
>could, but I think a single program better expresses the intent if 
>that's really what is best.

Barbican¹s intent is to simplify key management to enable consuming systems and users to offer or use encryption in their services. This is a fundementally different mission than Keystone has.


More information about the OpenStack-dev mailing list