[openstack-dev] [castellan] Removing Keystoneauth Dependency in Castellan Discussion

Dave McCowan (dmccowan) dmccowan at cisco.com
Tue Dec 12 19:56:49 UTC 2017

On 12/12/17, 10:38 AM, "Doug Hellmann" <doug at doughellmann.com> wrote:

>> On Dec 12, 2017, at 9:42 AM, Paul Bourke <paul.bourke at oracle.com> wrote:
>> From my understanding it would be a cleanup operation - which to be
>>honest, would be very much welcomed. I recently did a little work with
>>Castellan to integrate it with Murano and found the auth code to be very
>>messy, and flat out broken in some cases. If it's possible to let the
>>barbican client take care of this that sounds good to me.
>> > Which mode is used the most in the services that consume castellan
>> > today?
>> Afaik Barbican is the only backend that currently exists in Castellan
>>[0]. Looking again it seems some support has been added for vault which
>>is great, but I reckon Barbican would still be the primary use.
>> I haven't been hugely active in Castellan but if the team would like
>>some more input on this or reviews please do ping me, I'd be glad to
>What I mean is, in the services consuming Castellan, how do they expect
>it to authenticate to Barbican? As the current user or as a hard-coded
>fixed user controlled by the deployer? I would think most services would
>need to connect as the ³current² user talking to them so they can access
>that user¹s secrets from Barbican. Removing the keystoneauth stuff from
>the driver would therefore break all of those applications.

We're a mix right now.  Nova and Cinder pass through the a user's token to
retrieve the user's key for encrypted volumes.  Octavia uses its service
account to retrieve certificates for load balancing TLS connections.
Users must grant Octavia read permissions in advance.

Keystone is currently the only authentication option for Barbican.  I
believe the proposal to decouple keystoneauth is advance work for adding
new auth methods and backends as future work.  Vault and Custodia are two
such backends in progress.  They don't support keystoneauth and likely
won't, so we'll need alternatives.

Reviews and contributions to Castellan and Barbican have been light over
the last cycle, while deployment interest and feature requests have been
high.  Any help will be appreciated!


More information about the OpenStack-dev mailing list