[openstack-dev] [castellan] Removing Keystoneauth Dependency in Castellan Discussion

Doug Hellmann doug at doughellmann.com
Tue Dec 12 20:15:41 UTC 2017

Excerpts from Dave McCowan (dmccowan)'s message of 2017-12-12 19:56:49 +0000:
> On 12/12/17, 10:38 AM, "Doug Hellmann" <doug at doughellmann.com> wrote:
> >
> >> On Dec 12, 2017, at 9:42 AM, Paul Bourke <paul.bourke at oracle.com> wrote:
> >> 
> >> From my understanding it would be a cleanup operation - which to be
> >>honest, would be very much welcomed. I recently did a little work with
> >>Castellan to integrate it with Murano and found the auth code to be very
> >>messy, and flat out broken in some cases. If it's possible to let the
> >>barbican client take care of this that sounds good to me.
> >> 
> >> > Which mode is used the most in the services that consume castellan
> >> > today?
> >> 
> >> Afaik Barbican is the only backend that currently exists in Castellan
> >>[0]. Looking again it seems some support has been added for vault which
> >>is great, but I reckon Barbican would still be the primary use.
> >> 
> >> I haven't been hugely active in Castellan but if the team would like
> >>some more input on this or reviews please do ping me, I'd be glad to
> >>help.
> >
> >What I mean is, in the services consuming Castellan, how do they expect
> >it to authenticate to Barbican? As the current user or as a hard-coded
> >fixed user controlled by the deployer? I would think most services would
> >need to connect as the ³current² user talking to them so they can access
> >that user¹s secrets from Barbican. Removing the keystoneauth stuff from
> >the driver would therefore break all of those applications.
> >
> >Doug
> We're a mix right now.  Nova and Cinder pass through the a user's token to
> retrieve the user's key for encrypted volumes.  Octavia uses its service
> account to retrieve certificates for load balancing TLS connections.
> Users must grant Octavia read permissions in advance.

OK, so it sounds like we do need to continue to support both
approaches to authentication.

> Keystone is currently the only authentication option for Barbican.  I
> believe the proposal to decouple keystoneauth is advance work for adding
> new auth methods and backends as future work.  Vault and Custodia are two
> such backends in progress.  They don't support keystoneauth and likely
> won't, so we'll need alternatives.

Each driver manages its own authentication, right? Why do we need to
remove the keystoneauth stuff in the barbican driver in order to enable
other drivers?

> Reviews and contributions to Castellan and Barbican have been light over
> the last cycle, while deployment interest and feature requests have been
> high.  Any help will be appreciated!
> --Dave

More information about the OpenStack-dev mailing list