On 4 Jan 2018 23:35, "Alan Bishop" <abishop at redhat.com> wrote: Has there been any previous discussion on providing a mechanism for transferring ownership of a secret from one user to another? For castellan there isn't a discussion AFAIK. But it sounds like something you can enable with Barbican's ACLs. https://docs.openstack.org/barbican/latest/api/reference/acls.html You would need to leverage Barbican's API instead of castellan though. Cinder supports the notion of transferring volume ownership to another user, who may be in another tenant/project. However, if the volume is encrypted it's possible (even likely) that the new owner will not be able to access the encryption secret. The new user will have the encryption key ID (secret ref), but may not have permission to access the secret, let alone delete the secret should the volume be deleted later. This issue is currently flagged as a cinder bug [1]. This is a use case where the ownership of the encryption secret should be transferred to the new volume owner. Alan [1] https://bugs.launchpad.net/cinder/+bug/1735285 __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180106/542d6512/attachment.html>