[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Ian Cordasco sigmavirus24 at gmail.com
Tue Jan 17 12:36:38 UTC 2017


On Mon, Jan 16, 2017 at 6:11 PM, Joshua Harlow <harlowja at fastmail.com> wrote:
>> Is the problem perhaps that no one is aware of other projects using
>> Barbican? Is the status on the project navigator alarming (it looks
>> like some of this information is potentially out of date)? Has
>> Barbican been deemed too hard to deploy?
>>
>> I really want to understand why so many projects feel the need to
>> implement their own secrets storage. This seems a bit short-sighted
>> and foolish. While these projects are making themselves easier to
>> deploy, if not done properly they are potentially endangering their
>> users and that seems like a bigger problem than deploying Barbican to
>> me.
>>
>
> Just food for thought, and I'm pretty sure it's probably the same for
> various others; but one part that I feel is a reason that folks don't deploy
> barbican is because most companies need a solution that works beyond
> OpenStack and whether people like it or not, a OpenStack specific solution
> isn't really something that is attractive (especially with the growing
> adoption of other things that are *not* OpenStack).
>
> Another reason, some companies have or are already building/built solutions
> that offer functionality like what's in https://github.com/square/keywhiz
> and others and such things integrate with kubernetes and **their existing**
> systems ... natively already so why would they bother with a service like
> barbican?
>
> IMHO we've got to get our heads out of the sand with regard to some of this
> stuff, expecting people to consume all things OpenStack and only all things
> OpenStack is a losing battle; companies will consume what is right for their
> need, whether that is in the OpenStack community or not, it doesn't really
> matter (maybe at one point it did).

As long as they're using something secure, that's fine by me. Instead
these projects all want to reimplement the same functionality on their
own.

Does Castellan need to become something that can integrate with
Barbican + all of these other projects?

-- 
Ian Cordasco



More information about the OpenStack-dev mailing list