[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?
Brant Knudson
blk at acm.org
Wed Jan 18 19:23:40 UTC 2017
On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) <dmccowan at cisco.com
> wrote:
>
> On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco <sigmavirus24 at gmail.com>
> wrote:
>
>> Hi everyone,
>>
>> I've seen a few nascent projects wanting to implement their own secret
>> storage to either replace Barbican or avoid adding a dependency on it.
>> When I've pressed the developers on this point, the only answer I've
>> received is to make the operator's lives simpler.
>>
>>
> This is my opinion, but I'd like to see Keystone use Barbican for storing
> credentials. It hasn't happened yet because nobody's had the time or
> inclination (what we have works). If this happened, we could deprecate the
> current way of storing credentials and require Barbican in a couple of
> releases. Then Barbican would be a required service. The Barbican team
> might find this to be the easiest route towards convincing other projects
> to also use Barbican.
>
> - Brant
>
>
> Can you provides some details on how you'd see this work?
> Since Barbican typically uses Keystone to authenticate users before
> determining which secrets they have access to, this leads to a circular
> logic.
>
> Barbican's main purpose is a secret manager. It supports a variety of
> RBAC and ACL access control methods to determine if a request to
> read/write/delete a secret should be allowed or not. For secret storage,
> Barbican itself needs a secure backend for storage. There is a
> customizable plugin interface to access secure storage. The current
> implementations can support a database with encryption, an HSM via KMIP,
> and Dogtag.
>
>
I haven't thought about it much so don't have details figured out. Keystone
stores many types of secrets for users, and maybe you're thinking about the
user password being tricky. I'm thinking about the users' EC2 credentials
(for example). I don't think this would be difficult and would involve
creating a credentials backend for keystone that supports barbican. Maybe
have a 'keystone' project for credentials keystone is storing? If you're
familiar with the Barbican interface, compare with keystone's credential
interface[0].
[0]
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/credential/backends/base.py#n26
- Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170118/fcf13a69/attachment.html>
More information about the OpenStack-dev
mailing list