[openstack-dev] [barbican][castellan] How to share secrets in barbican

yanxingan yanxingan at cmss.chinamobile.com
Fri Mar 31 06:58:39 UTC 2017 

Thanks Kaitlin Farr.

In tacker vim usecase, an operator [user A] may create a vim with an 
account[user B] to access the NFVI. I want to store user B's password in 
barbican.

There are two methods to store secret:
1. All user A's vim secrets are stored in one common reserved 
project/user as mentioned.
2. For each user A, the vim secret is stored in it's own domain 
respectively.

The problem of 2 is:
1) Vim can not be shared between different projects with default 
barbican RBAC policy.
2) It's not secure to open the access to all users via RBAC policy. In 
addition, barbican may be invoked by other projects, e.g. nova, neutron lb.
3) It's not convenient to add every user to the ACL of A's secret.

Is barbican ACL suport a "shared" similar attribute to a secret?


On 2017/3/31 3:05, Farr, Kaitlin M. wrote:
>
>>    As i known, the secrets are saved in a user's domain, and other project/user can not retrieve the secrets.
>>     But i have a situation that many users need retrieve a same secret.
>>
>>     After looking into the castellan usage,  I see the method that saving the credentials in configuration,
>>  then all operators use this pre-created user to create/retrieve secrets.
>>  I want to know, is this way typical and easy-accepted? Does other projects face this issue?
>
>
> ​By default, the secrets in Barbican are available at the project-level
> [1]. I am not sure specifically which project or feature you are
> referring to that all users need to access to one secret, but I would
> suggest that editing the Barbican RBAC policy or ACL is a more elegant
> solution than storing username/pw in the conf file. You can find more
> details about RBAC at [2] and a sample policy.json file at [3].
>
> Kaitlin Farr
>
> 1. https://developer.openstack.org/api-guide/key-manager/acls.html#default-acl
> 2. https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html
> 3. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

More information about the OpenStack-dev mailing list