[openstack-dev] [castellan] Transferring ownership of secrets to another user

Juan Antonio Osorio jaosorior at gmail.com
Sat Jan 6 08:26:44 UTC 2018

On 4 Jan 2018 23:35, "Alan Bishop" <abishop at redhat.com> wrote:

Has there been any previous discussion on providing a mechanism for
transferring ownership of a secret from one user to another?

For castellan there isn't a discussion AFAIK. But it sounds like something
you can enable with Barbican's ACLs.


You would need to leverage Barbican's API instead of castellan though.

Cinder supports the notion of transferring volume ownership to another
user, who may be in another tenant/project. However, if the volume is
encrypted it's possible (even likely) that the new owner will not be
able to access the encryption secret.

The new user will have the
encryption key ID (secret ref), but may not have permission to access
the secret, let alone delete the secret should the volume be deleted
later. This issue is currently flagged as a cinder bug [1].

This is a use case where the ownership of the encryption secret should
be transferred to the new volume owner.


[1] https://bugs.launchpad.net/cinder/+bug/1735285

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180106/542d6512/attachment.html>

More information about the OpenStack-dev mailing list