[openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

Jay Pipes jaypipes at gmail.com
Tue Jun 27 12:33:42 UTC 2017


 From what I can tell, Keycloak is an Identity provider, not a secret store?

-jay

On 06/27/2017 05:35 AM, Adam Heczko wrote:
> Barbican already supports multiple secret storage backends [1] and most 
> likely adding Keycloak's one [2] should be possible.
> 
> [1] 
> https://docs.openstack.org/project-install-guide/key-manager/draft/barbican-backend.html
> [2] https://github.com/jpkrohling/secret-store
> 
> On Tue, Jun 27, 2017 at 10:42 AM, Thierry Carrez <thierry at openstack.org 
> <mailto:thierry at openstack.org>> wrote:
> 
>     Mikhail Fedosin wrote:
>     >             Does the above mean you are implementing a share secret storage
>     >             solution or that you are going to use an existing solution like
>     >             Barbican that does that?
>     >
>     >         Sectets is a plugin for Glare we developed for Nokia CloudBand
>     >         platform,   and they just decided to opensource it. It doesn't
>     >         use Barbican, technically it is oslo.versionedobjects class.
>     >
>     >     Sorry to hear that you opted not to use Barbican.
>     >
>     > I think it's only because Keycloak integration is required by Nokia's
>     > system and Barbican doesn't support it.
> 
>     Any technical reason why it couldn't be added to Barbican ? Any chance
>     Keycloak integration could be added as a Castellan backend ? Secrets
>     management is really one of those things that should *not* be reinvented
>     in every project. It is easier to get wrong than people think, and you
>     end up having to do security audits on 10 repositories instead of one.
> 
>     --
>     Thierry Carrez (ttx)
> 
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
> 
> 
> 
> 
> -- 
> Adam Heczko
> Security Engineer @ Mirantis Inc.
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list