[openstack-dev] [barbican][castellan] How to share secrets in barbican

Farr, Kaitlin M. Kaitlin.Farr at jhuapl.edu
Thu Mar 30 19:05:46 UTC 2017

>    As i known, the secrets are saved in a user's domain, and other project/user can not retrieve the secrets.
>    But i have a situation that many users need retrieve a same secret.
>    After looking into the castellan usage,  I see the method that saving the credentials in configuration,
> then all operators use this pre-created user to create/retrieve secrets. 
> I want to know, is this way typical and easy-accepted? Does other projects face this issue?

​By default, the secrets in Barbican are available at the project-level
[1]. I am not sure specifically which project or feature you are
referring to that all users need to access to one secret, but I would
suggest that editing the Barbican RBAC policy or ACL is a more elegant
solution than storing username/pw in the conf file. You can find more
details about RBAC at [2] and a sample policy.json file at [3].

Kaitlin Farr

1. https://developer.openstack.org/api-guide/key-manager/acls.html#default-acl
2. https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html
3. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json


More information about the OpenStack-dev mailing list