[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Douglas Mendizábal douglas.mendizabal at rackspace.com
Wed Jan 18 22:41:03 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

We've also talked about fancier non-keystone-auth like x.509 certificate
s.

- - Douglas

On 1/18/17 11:52 AM, Clint Byrum wrote:
> Excerpts from Dave McCowan (dmccowan)'s message of 2017-01-18
> 15:58:19 +0000:
>> 
>> On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco
>> <sigmavirus24 at gmail.com<mailto:sigmavirus24 at gmail.com>> wrote: Hi
>> everyone,
>> 
>> I've seen a few nascent projects wanting to implement their own
>> secret storage to either replace Barbican or avoid adding a
>> dependency on it. When I've pressed the developers on this point,
>> the only answer I've received is to make the operator's lives
>> simpler.
>> 
>> 
>> This is my opinion, but I'd like to see Keystone use Barbican for
>> storing credentials. It hasn't happened yet because nobody's had
>> the time or inclination (what we have works). If this happened,
>> we could deprecate the current way of storing credentials and
>> require Barbican in a couple of releases. Then Barbican would be
>> a required service. The Barbican team might find this to be the
>> easiest route towards convincing other projects to also use
>> Barbican.
>> 
>> - Brant
>> 
>> Can you provides some details on how you'd see this work? Since
>> Barbican typically uses Keystone to authenticate users before
>> determining which secrets they have access to, this leads to a
>> circular logic.
>> 
>> Barbican's main purpose is a secret manager.  It supports a
>> variety of RBAC and ACL access control methods to determine if a
>> request to read/write/delete a secret should be allowed or not.
>> For secret storage, Barbican itself needs a secure backend for
>> storage.  There is a customizable plugin interface to access
>> secure storage.  The current implementations can support a
>> database with encryption, an HSM via KMIP, and Dogtag.
> 
> Just bootstrap the genesis admin credentials into Barbican and
> Keystone the same way we bootstrap them into Keystone now. Once
> there's admin creds, they can be validated separate from updating
> them, and there's no circle anymore, Just two one-way
> dependencies.
> 
> ______________________________________________________________________
____
>
> 
OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJYf+7/AAoJEB7Z2EQgmLX7YFQQAJ9J1j/PflaPU18o0Aej1j0p
LLuFRUehR29LKFQJdmmd2GPq+Inuvie9mjRo/Aa89TfF0BpNOJqqma4A7mduHxZQ
QLz5lO0Cg5tuDOKdaml21OJVoxV+8EkslYTn9OOwv0ktL/JxhgSp9wSeJpkkgDKP
lqzCu2WZvHjb1BlDs8DYwW3cOyzJ9vTL4m3UDHz/Z7E2KrW60t8OieJEcYwZH1Iv
r9K4dLE5Qyc552ZB442aR/ypPZS+Wy4/YJwdY6NnS+oI+kkNgW2TVadBkHkRIudy
wTGZSSHIv2NTFugwUOCZF2If+0RkOniTbxev8/xNZZdUJI7N/xeYnc2YozvPHEzD
AG9ghKcFi6drFk+A1cYxy20NaGFxBqM97bXWad5IAhh7c/3Eg0FAf5gl3hYG/nBV
bmEX2LEQiU23yP5ug9Z45KH06rkP7R7i+EG8UpByP88zMREJyPhaaxQFEd5625K7
4Baz7geSHosaK+bTVFdD1FDT8OWxBPbkfJ9hglk2kUoKlhpBLeNPdDNwj4EGz7H3
3tyRlhdaTkETIVIBFOcn6LrZGdgTeveeFVm1XLVPd6+4Ie5akOqrV7we8jFP7bm8
a1X/mzEcdZx74RgLm1+4TAU6N1wgdhdyZoKQCwDrPjPVssI07aNT6BFkSCkAeNdo
pbUudKVnJYS9jhO3BsjR
=8P6e
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list