<div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 4 Jan 2018 23:35, "Alan Bishop" <<a href="mailto:abishop@redhat.com">abishop@redhat.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Has there been any previous discussion on providing a mechanism for<br>
transferring ownership of a secret from one user to another?<br></blockquote></div></div></div><div dir="auto">For castellan there isn't a discussion AFAIK. But it sounds like something you can enable with Barbican's ACLs.</div><div dir="auto"><br></div><div dir="auto"><a href="https://docs.openstack.org/barbican/latest/api/reference/acls.html">https://docs.openstack.org/barbican/latest/api/reference/acls.html</a><br></div><div dir="auto"><br></div><div dir="auto">You would need to leverage Barbican's API instead of castellan though. </div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Cinder supports the notion of transferring volume ownership to another<br>
user, who may be in another tenant/project. However, if the volume is<br>
encrypted it's possible (even likely) that the new owner will not be<br>
able to access the encryption secret.</blockquote></div></div></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The new user will have the<br>
encryption key ID (secret ref), but may not have permission to access<br>
the secret, let alone delete the secret should the volume be deleted<br>
later. This issue is currently flagged as a cinder bug [1].<br>
<br>
This is a use case where the ownership of the encryption secret should<br>
be transferred to the new volume owner.<br>
<br>
Alan<br>
<br>
[1] <a href="https://bugs.launchpad.net/cinder/+bug/1735285" rel="noreferrer" target="_blank">https://bugs.launchpad.net/<wbr>cinder/+bug/1735285</a><br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</blockquote></div><br></div></div></div>