[barbican] database is growing and can not be purged
Douglas Mendizabal
dmendiza at redhat.com
Mon Apr 3 13:28:52 UTC 2023
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 3/21/23 08:58, Pavlo Shchelokovskyy wrote:
> Hi all,
>
> after having some thoughts, I came to another solution, that I think is
> the most appropriate here, kind of a variation of option 1:
>
> 4. Castellan should cleanup intermediate resources before returning
> secret ID(s) to the caller
>
Hi Pavlo,
We discussed this issue during last week's PTG sessions [1], and we
agree that this approach makes sense from a Castellan point of view.
> As I see it now, the root of the problem is in castellan's
> BarbicanKeyManager and the way it hides implementation details from the
> user.
> Since it returns only IDs of created secrets to the user, the api caller
> has no notion that something else has to be deleted once it is time for
> this.
> Since Barbican API is perfectly capable to delete orders and containers
> without deleting the secrets they reference, this is what castellan
> should do just before it returns IDs of generated secrets to the API
caller.
> The only small trouble is that with default 'legacy' API policies in
> Barbican, not everybody who can create orders can delete them.. but this
> can be accounted for with try..except.
>
I think it would make sense to update the legacy policies to allow
users with the "creator" role to delete orders. This change is similar
to a change we made to the Secrets policy to allow deletion by users
with the "creator" role as well. [2]
> Please review the patch in this regard
> https://review.opendev.org/c/openstack/castellan/+/877423
> <https://review.opendev.org/c/openstack/castellan/+/877423>
>
Thanks for the patch, I've added it to my review queue.
Additionally, we discussed some changes we'll make to the API this
cycle to hopefully make it easier to manage orders:
* Add a new API Mircoversion so we can
* Add a new "genrated_by" field to the Secret and Container metadata
that contains the order ID for secrets/containers that were created
by an order. This would be null for secrets not created by an Order.
* Cascade delete the Order when the secret or container is deleted.
We'll also be looking at the barbican-manage CLI to make sure that
purging deleted secrets is working as expected.
Regards,
- - Douglas Mendizábal
[1] https://etherpad.opendev.org/p/march2023-ptg-barbican
[2] https://storyboard.openstack.org/#!/story/2009791
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwcapj5oGTj2zd3XogB6WFOq/OrcFAmQq1FoACgkQgB6WFOq/
OrcZ3A/+LIFg19DbIPbDBXkCe2I500epuaVXK9TKoslZnKfc1cBlFA/KXJ6oT/Jt
QBi+5BtmwKr/EF7hS2zCW1s0wuq0IcFyqeXF3Ucy+++U124prNSMlyrpizamWxnq
nrz8YVpSQ268zgDgyzz95NCMUXqfzmkr/yEEZmLsrY/WKU3wIRJt8A/OOrtyhLcd
YYjAwGjXfEVPM6DoBNcR3tbaHEEf46CpbRumx4zcRGDiydrOjODX/Mm4DyL94gR9
qSfO5F9MvZLT+ntim/grTQ/lNMye5uKiCHEexDJSgP/hoHcPiUQo8SpQyRMcYB/e
Fxx10PactyiXumctuNBFuIT3rWiimsRzf5JIW9EEIoGjZEeT43dhs9C1sfRuuqHP
z6E6A/8/FpZlJny0QOCr4/mQvSQiFZI7dZMKrqZZOZ1viF6w0AAnYBR4E57/pmLp
pXTfRwFE2FeI6xPgpoxz4R28ky5BakyQSC5DSoy8gcVLfkKJPjbe27nrTgERGE+Y
S1/NDan3DJBcAkyBdD1NZaWw3Yvrx9EIc9H07genb+9bwdSY2/zc5VzP6dSyt78i
M9BFH1xMJxigKHB02YkonxbY895v1uHjaE7yJU+AhAjJ+Ep0Gy59Cwsg71AAmvtC
0AL4c56C4uWYjVTcigu3PdTdaFNXlM21yCZwuDLUwHPt1vF1eZA=
=ttcw
-----END PGP SIGNATURE-----
More information about the openstack-discuss
mailing list