[openstack-dev] Barbican Incubation Review

Justin Santa Barbara justin at fathomdb.com
Wed Jan 29 22:21:18 UTC 2014

Given the issues we continue to face with achieving stable APIs, I
hope there will be some form of formal API review before we approve
any new OpenStack APIs.  When we release an API, it should mean that
we're committing to support that API _forever_.

Glancing at the specification, I noticed some API issues that will be
hard to fix:
* the API for asymmetric keys (i.e. keys with a public and private
part) has not yet been fleshed out
* there does not appear to be support for key rotation
* I don't see metadata or tags or some other way for API consumers to
attach extra information they might need
* "cypher_type" is spelled in the less common way

The first two are deal-breakers IMHO for a 1.0.  #3 is a straight
extension, so could be added later, but I think it an important safety
valve in case anything else got missed.  #4 will probably cause the
most argument :-)

Everyone is looking forward to the better security that Barbican will
bring, so I think it all the more important that we avoid a rapid v2.0
and the pain that brings to everyone.  I would hope that the PTLs of
all projects that are going to offer encryption review the proposed
API to make sure that it meets their project's future requirements.

I'm presuming that this is our last opportunity for API review - if
this isn't the right occasion to bring this up, ignore me!


More information about the OpenStack-dev mailing list