[openstack-dev] [castellan] Transferring ownership of secrets to another user

Alan Bishop abishop at redhat.com
Thu Jan 4 21:35:14 UTC 2018

Has there been any previous discussion on providing a mechanism for
transferring ownership of a secret from one user to another?

Cinder supports the notion of transferring volume ownership to another
user, who may be in another tenant/project. However, if the volume is
encrypted it's possible (even likely) that the new owner will not be
able to access the encryption secret. The new user will have the
encryption key ID (secret ref), but may not have permission to access
the secret, let alone delete the secret should the volume be deleted
later. This issue is currently flagged as a cinder bug [1].

This is a use case where the ownership of the encryption secret should
be transferred to the new volume owner.


[1] https://bugs.launchpad.net/cinder/+bug/1735285

More information about the OpenStack-dev mailing list