[openstack-dev] [barbican][castellan] How to share secrets in barbican

Dave McCowan (dmccowan) dmccowan at cisco.com
Fri Mar 31 16:24:37 UTC 2017

Another option:

If you want to give User-A read access to all Project-B secrets, you could
assign User-A the role of "observer" in Project-B.

This would use the default RBAC policy, not give every user access to the
secrets, and be more convenient than adding each user to the ACL of each

Tacker would use the Operator's token to retrieve secrets, and not shared
credentials from the configuration file.

On 3/31/17, 2:58 AM, "yanxingan" <yanxingan at cmss.chinamobile.com> wrote:

>Thanks Kaitlin Farr.
>In tacker vim usecase, an operator [user A] may create a vim with an
>account[user B] to access the NFVI. I want to store user B's password in
>There are two methods to store secret:
>1. All user A's vim secrets are stored in one common reserved
>project/user as mentioned.
>2. For each user A, the vim secret is stored in it's own domain
>The problem of 2 is:
>1) Vim can not be shared between different projects with default
>barbican RBAC policy.
>2) It's not secure to open the access to all users via RBAC policy. In
>addition, barbican may be invoked by other projects, e.g. nova, neutron
>3) It's not convenient to add every user to the ACL of A's secret.
>Is barbican ACL suport a "shared" similar attribute to a secret?
>On 2017/3/31 3:05, Farr, Kaitlin M. wrote:
>>>    As i known, the secrets are saved in a user's domain, and other
>>>project/user can not retrieve the secrets.
>>>     But i have a situation that many users need retrieve a same secret.
>>>     After looking into the castellan usage,  I see the method that
>>>saving the credentials in configuration,
>>>  then all operators use this pre-created user to create/retrieve
>>>  I want to know, is this way typical and easy-accepted? Does other
>>>projects face this issue?
>> ​By default, the secrets in Barbican are available at the project-level
>> [1]. I am not sure specifically which project or feature you are
>> referring to that all users need to access to one secret, but I would
>> suggest that editing the Barbican RBAC policy or ACL is a more elegant
>> solution than storing username/pw in the conf file. You can find more
>> details about RBAC at [2] and a sample policy.json file at [3].
>> Kaitlin Farr
>> 1. 
>> 2. 
>> 3. 
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: 
>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the OpenStack-dev mailing list