[openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager

Dave McCowan (dmccowan) dmccowan at cisco.com
Wed Mar 15 19:38:05 UTC 2017



On 3/15/17, 6:51 AM, "Julien Danjou" <julien at danjou.info> wrote:

>On Mon, Mar 13 2017, Clint Byrum wrote:
>
>> To me, Oslo is a bunch of libraries that encompass "the way OpenStack
>> does XXXX". When XXXX is key management, projects are, AFAICT,
>>universally
>> using Castellan at the moment. So I think it fits in Oslo
>> conceptually.
>
>It would be cool if it could rather be "the way you can do XXX in
>Python" rather than being too much OpenStack centric. :)
>
>> As far as what benefit there is to renaming it, the biggest one is
>> divesting Castellan of the controversy around Barbican. There's no
>> disagreement that explicitly handling key management is necessary. There
>> is, however, still hesitance to fully adopt Barbican in that role. In
>> fact I heard about some alternatives to Barbican, namely "Vault"[1] and
>> "Tang"[2], that may be useful for subsets of the community, or could
>> even grow into de facto standards for key management.
>>
>> So, given that there may be other backends, and the developers would
>> like to embrace that, I see value in renaming. It would help, I think,
>> Castellan's developers to be able to focus on key management and not
>> have to explain to every potential user "no we're not Barbican's cousin,
>> we're just an abstraction..".
>
>I don't think the Castellan name is a problem in itself, because at
>least to me it does not sound like it's Barbican specific. I'd prefer it
>to be a Python generic library that supports an OpenStack project as one
>of its driver. So I'd hate to have it named oslo.foobar.
>
>As far as moving it under the Oslo library, I understand that the point
>would be to make a point stating that this library is not a
>Barbican-specific solution etc. I think it addresses the problem in the
>wrongŠ but pragmatic way.
>
>What I think would be more interesting is to rename the _Barbican team_
>to the "People-who-work-on-keychain-stuff team". That team would build 2
>things, which are Barbican and Castellan (and maybe more later). That'd
>make more sense than trying to fit everything in Oslo, and would also
>help other projects to do the same thing in the future, and, maybe, one
>day, alleviate the whole problem.
>
>Other than that, sure, we can move it to Oslo I guess. :)

The Barbican community has always been the
"People-who-work-on-key-management-stuff" team.  We launched Castellan in
2015 with the explicit purpose of being a generic abstraction for key
managers.[1]  At that time, we envisioned developing a KMIP plugin to
connect directly to an HSM.  Currently, the interest level is higher
around a plugin for software based secure storage, such as Vault.
However, patches for additional plugins have not been forthcoming.

Castellan was designed from the ground up to be a generic abstraction, and
I, and the rest of the Barbican community, hope to see more driver
development for it.  If a change of name or governance helps, we're all
for it.  But, I hope everyone knows there is no push back from the
"People-who-work-on-key-management-stuff".  We welcome all contributions.

In addition, we want the Castellan library to be the go-to library for any
project that wants to add key management.  It is already used by Nova,
Cinder, Glance, Neutron, Octavia, and Magnum.  If a change in name or
governance helps other projects adopt Castellan, again, we're all for it.
In the meantime, we encourage and stand ready to help all adopters.

dave-mccowan
PTL, "People-who-work-on-key-management-stuff"

[1] https://wiki.openstack.org/wiki/Castellan





More information about the OpenStack-dev mailing list